Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: Apache 2.2.11a available, upgrade APR, APR-Util and OpenSSL |
|
Author |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3092 Location: Hilversum, NL, EU
|
Posted: Thu 04 Jun '09 22:07 Post subject: Apache 2.2.11a available, upgrade APR, APR-Util and OpenSSL |
|
|
Apache 2.2.11a available. Upgraded Apache 2.2.11 binary with the latest APR 1.3.5, APR-util 1.3.7 and OpenSSL 0.9.8k. See the changes below.
Enjoy,
Steffen
APR-util Changes between 1.3.4 and 1.3.7
Changes with APR-util 1.3.7
*) SECURITY:
Fix a denial of service attack against the apr_xml_* interface
using the "billion laughs" entity expansion technique.
[Joe Orton]
Changes with APR-util 1.3.6
*) Minor build and bug fixes.
Changes with APR-util 1.3.5
*) SECURITY: CVE-2009-0023 (cve.mitre.org)
Fix underflow in apr_strmatch_precompile.
[Matthew Palmer]
*) Fix off by one overflow in apr_brigade_vprintf.
[C. Michael Pilato]
*) APR_LDAP_SIZELIMIT should prefer LDAP_DEFAULT_LIMIT/-1 when the
SDK supports it, but in the absence of LDAP_DEFAULT_LIMIT (and
LDAP_NO_LIMIT/0) it is not safe to use a literal -1.
PR23356 [Eric Covener]
*) Clean up ODBC types. Warnings seen when compiling packages for
Fedora 11. [Bojan Smojver]
*) Use of my_init() requires my_global.h and my_sys.h.
[Bojan Smojver]
*) Fix apr_memcache_multgetp memory corruption and incorrect error
handling. PR 46588 [Sami Tolvanen]
*) Fix memcache memory leak with persistent connections.
PR 46482 [Sami Tolvanen]
*) Add Oracle 11 support. [Bojan Smojver]
*) apr_dbd_freetds: Avoid segfault when process is NULL.
Do no print diagnostics to stderr. Never allow driver to exit
process. [Bojan Smojver]
*) apr_dbd_freetds: The sybdb.h header file might be freetds/sybdb.h
or sybdb.h. [Graham Leggett]
*) LDAP detection improvements: --with-ldap now supports library names
containing non-alphanumeric characters, such as libldap-2.4.so. New
option --with-lber can be used to override the default liblber name.
Fix a problem reporting the lber library from apu-N-config.
[Jeff Trawick]
*) Suppress pgsql column-out-of-range warning.
PR 46012 [Michiel van Loon]
*) Fix a buffer overrun and password matching for SHA passwords.
PR 45679 [Ben Noordhuis]
*) Introduce DSO handling of the db, gdbm and ndbm drivers, so these are
loaded as .so's on first demand, unless --disable-util-dso is configured.
[William Rowe]
*) Fix a segfault in the DBD testcase when the DBD modules were not present.
[Graham Leggett]
APR Changes between 1.3.3 and 1.3.5
Changes for APR 1.3.5
*) Dropped kqueue and apr_poll detection from Mac OS/X 10.5/Darwin 9
due to various reported problems. [William Rowe]
Changes for APR 1.3.4
*) apr_strerror() on OS/2: Fix problem with calculating buffer size.
PR 45689. [Erik Lax]
*) Prefer glibtool1/glibtoolize1. [Jim Jagielski]
*) Fix buildconf with libtool 2.2. [Joe Orton]
*) Fix a bug with the APR_DELONCLOSE flag. Child processes were (also)
unlinking the file. [Greg Stein]
*) Fix compilation error on systems that do not have IPV6.
PR 46601 [Julien Charbon]
*) apr_socket_sendfile() on Solaris: Fix handling of files truncated
after the sender determines the length. (This fixes a busy loop in
httpd when a file being served is truncated.) [Jeff Trawick]
*) Fix documentation for apr_temp_dir_get().
PR 46303 [Carlo Marcelo Arenas Belon]
*) Add AC_MSG_RESULT after AC_MSG_CHECKING.
PR 46427 [Rainer Jung]
*) Reset errno to zero in apr_strtoi64 to prevent returning an errno not
equal zero in cases where the operation worked fine. [Ruediger Pluem]
*) Win32: Do not error out on apr_pollset_poll() when there are no sockets.
[Justin Erenkrantz]
*) Fix apr_tokenize_to_argv parsing. PR 46128
[Edward Rudd]
OpenSSL Changes between 0.9.8j and 0.9.8k
*) Don't set val to NULL when freeing up structures, it is freed up by
underlying code. If sizeof(void *) > sizeof(long) this can result in
zeroing past the valid field. (CVE-2009-0789)
[Paolo Ganci ]
*) Fix bug where return value of CMS_SignerInfo_verify_content() was not
checked correctly. This would allow some invalid signed attributes to
appear to verify correctly. (CVE-2009-0591)
[Ivan Nestlerode ]
*) Reject UniversalString and BMPString types with invalid lengths. This
prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
a legal length. (CVE-2009-0590)
[Steve Henson]
*) Set S/MIME signing as the default purpose rather than setting it
unconditionally. This allows applications to override it at the store
level.
[Steve Henson]
*) Permit restricted recursion of ASN1 strings. This is needed in practice
to handle some structures.
[Steve Henson]
*) Improve efficiency of mem_gets: don't search whole buffer each time
for a '\n'
[Jeremy Shapiro]
*) New -hex option for openssl rand.
[Matthieu Herrb]
*) Print out UTF8String and NumericString when parsing ASN1.
[Steve Henson]
*) Support NumericString type for name components.
[Steve Henson]
*) Allow CC in the environment to override the automatically chosen
compiler. Note that nothing is done to ensure flags work with the
chosen compiler.
[Ben Laurie] |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7371 Location: Germany, Next to Hamburg
|
|
Back to top |
|
|
|
|
|
|