libapreq2-2.07 Released
The Apache Software Foundation and The Apache HTTP Server Project
are pleased to announce the 2.07 release of libapreq2. This
Announcement notes significant changes introduced by this release.
libapreq2-2.07 is released under the Apache License
version 2.0. It is now available through the ASF mirrors
http://httpd.apache.org/apreq/download.cgi
and has entered the CPAN as
file: $CPAN/authors/id/J/JO/JOESUF/libapreq2-2.07.tar.gz
size: 787249 bytes
md5: 6f2e5e4a14e8b190dead0fe91fc13080
libapreq2 is an APR-based shared library used for parsing HTTP cookies,
query-strings and POST data. This package provides
1) version 2.5.7 of the libapreq2 library,
2) mod_apreq2, a filter module necessary for using libapreq2
within the Apache HTTP Server,
3) the Apache2::Request, Apache2::Cookie, and Apache2::Upload
perl modules for using libapreq2 with mod_perl2.
This release contains an important security bugfix which impacts all
previous developer releases of libapreq2. The Common Vulnerabilities
and Exposures project assigned the name CVE-2006-0042 to this issue.
========================================================================
Changes with libapreq2-2.07 (released February 12, 2006)
- C API [joes]
SECURITY: CVE-2006-0042 (cve.mitre.org)
Eliminate potential quadratic behavior in apreq_parse_headers() and
apreq_parse_urlencoded().
- Perl API [Philip M. Gollucci]
Fix Apache2::Cookie->cookies() to comply with its documentation
- C API [Philip M. Gollucci]
Use the APREQ_DEFAULT_READ_LIMIT constant for the read_limit
- C API [Ville Skyttä, Dirk Nehring]
Add explicit cast in apreq_escape()/apreq_util.h to keep
C++ compilers happy.
- C API [joes]
Protect against arbitrary recursion depth in apreq_parse_multipart()
by adding a reasonable compile-time MAX_LEVEL limit.
- C API [joes]
Clean up end-of-file parsing for apreq_parse_multipart(),
conforming to rfc-2046 § 5.1.1.
- Perl API [joes]
Move APR::Request::Param::Table and APR::Request::Cookie::Table
packages to APR::Request module.
- Perl XS [Steve Hay]
Fix compile problems on Win32 without PERL_IMPLICIT_SYS
related to link being an unresolved symbol.
- Perl API [joes]
APR::Request::Cookie::thaw() isn't a class method.
- C API [joes]
Fix off-by-one bug in the continuation-lines portion of the
header parser.
- Perl API [joes]
Move APR::Request::upload to APR::Request, where it belongs.
- Perl XS [Nikolay Ananiev]
Use MP_STATIC declarations to allow Cygwin builds.
- Perl API [joes]
encode()/decode() were busted with zero-length args. This caused
Apache2::Cookie::new() to segfault on cookie value of "".
- C API [joes]
Add apreq_charset_divine() and eliminate charset offset from return
value of apreq_decode(v).
- C API [joes]
Improve the cp1252-charset heuristics for apreq_decode(v).
- C API [Ralph Mattes]
Add explicit casts for apreq_param_charset_* to keep c++ compilers happy.
The Apache Software Foundation and The Apache HTTP Server Project
are pleased to announce the 2.07 release of libapreq2. This
Announcement notes significant changes introduced by this release.
libapreq2-2.07 is released under the Apache License
version 2.0. It is now available through the ASF mirrors
http://httpd.apache.org/apreq/download.cgi
and has entered the CPAN as
file: $CPAN/authors/id/J/JO/JOESUF/libapreq2-2.07.tar.gz
size: 787249 bytes
md5: 6f2e5e4a14e8b190dead0fe91fc13080
libapreq2 is an APR-based shared library used for parsing HTTP cookies,
query-strings and POST data. This package provides
1) version 2.5.7 of the libapreq2 library,
2) mod_apreq2, a filter module necessary for using libapreq2
within the Apache HTTP Server,
3) the Apache2::Request, Apache2::Cookie, and Apache2::Upload
perl modules for using libapreq2 with mod_perl2.
This release contains an important security bugfix which impacts all
previous developer releases of libapreq2. The Common Vulnerabilities
and Exposures project assigned the name CVE-2006-0042 to this issue.
========================================================================
Changes with libapreq2-2.07 (released February 12, 2006)
- C API [joes]
SECURITY: CVE-2006-0042 (cve.mitre.org)
Eliminate potential quadratic behavior in apreq_parse_headers() and
apreq_parse_urlencoded().
- Perl API [Philip M. Gollucci]
Fix Apache2::Cookie->cookies() to comply with its documentation
- C API [Philip M. Gollucci]
Use the APREQ_DEFAULT_READ_LIMIT constant for the read_limit
- C API [Ville Skyttä, Dirk Nehring]
Add explicit cast in apreq_escape()/apreq_util.h to keep
C++ compilers happy.
- C API [joes]
Protect against arbitrary recursion depth in apreq_parse_multipart()
by adding a reasonable compile-time MAX_LEVEL limit.
- C API [joes]
Clean up end-of-file parsing for apreq_parse_multipart(),
conforming to rfc-2046 § 5.1.1.
- Perl API [joes]
Move APR::Request::Param::Table and APR::Request::Cookie::Table
packages to APR::Request module.
- Perl XS [Steve Hay]
Fix compile problems on Win32 without PERL_IMPLICIT_SYS
related to link being an unresolved symbol.
- Perl API [joes]
APR::Request::Cookie::thaw() isn't a class method.
- C API [joes]
Fix off-by-one bug in the continuation-lines portion of the
header parser.
- Perl API [joes]
Move APR::Request::upload to APR::Request, where it belongs.
- Perl XS [Nikolay Ananiev]
Use MP_STATIC declarations to allow Cygwin builds.
- Perl API [joes]
encode()/decode() were busted with zero-length args. This caused
Apache2::Cookie::new() to segfault on cookie value of "".
- C API [joes]
Add apreq_charset_divine() and eliminate charset offset from return
value of apreq_decode(v).
- C API [joes]
Improve the cp1252-charset heuristics for apreq_decode(v).
- C API [Ralph Mattes]
Add explicit casts for apreq_param_charset_* to keep c++ compilers happy.