libapreq2-2.07 Released
The Apache Software Foundation and The Apache HTTP Server Project
are pleased to announce the 2.07 release of libapreq2. This
Announcement notes significant changes introduced by this release.
libapreq2-2.07 is released under the Apache License
version 2.0. It is now available through the ASF mirrors
http://httpd.apache.org/apreq/download.cgi
and has entered the CPAN as
file: $CPAN/authors/id/J/JO/JOESUF/libapreq2-2.07.tar.gz
size: 787249 bytes
md5: 6f2e5e4a14e8b190dead0fe91fc13080
libapreq2 is an APR-based shared library used for parsing HTTP cookies,
query-strings and POST data. This package provides
1) version 2.5.7 of the libapreq2 library,
2) mod_apreq2, a filter module necessary for using libapreq2
within the Apache HTTP Server,
3) the Apache2::Request, Apache2::Cookie, and Apache2::Upload
perl modules for using libapreq2 with mod_perl2.
This release contains an important security bugfix which impacts all
previous developer releases of libapreq2. The Common Vulnerabilities
and Exposures project assigned the name CVE-2006-0042 to this issue.
========================================================================
Changes with libapreq2-2.07 (released February 12, 2006)
- C API [joes]
SECURITY: CVE-2006-0042 (cve.mitre.org)
Eliminate potential quadratic behavior in apreq_parse_headers() and
apreq_parse_urlencoded().
- Perl API [Philip M. Gollucci]
Fix Apache2::Cookie->cookies() to comply with its documentation
- C API [Philip M. Gollucci]
Use the APREQ_DEFAULT_READ_LIMIT constant for the read_limit
- C API [Ville Skyttä, Dirk Nehring]
Add explicit cast in apreq_escape()/apreq_util.h to keep
C++ compilers happy.
- C API [joes]
Protect against arbitrary recursion depth in apreq_parse_multipart()
by adding a reasonable compile-time MAX_LEVEL limit.
- C API [joes]
Clean up end-of-file parsing for apreq_parse_multipart(),
conforming to rfc-2046 § 5.1.1.
- Perl API [joes]
Move APR::Request::Param::Table and APR::Request::Cookie::Table
packages to APR::Request module.
- Perl XS [Steve Hay]
Fix compile problems on Win32 without PERL_IMPLICIT_SYS
related to link being an unresolved symbol.
- Perl API [joes]
APR::Request::Cookie::thaw() isn't a class method.
- C API [joes]
Fix off-by-one bug in the continuation-lines portion of the
header parser.
- Perl API [joes]
Move APR::Request::upload to APR::Request, where it belongs.
- Perl XS [Nikolay Ananiev]
Use MP_STATIC declarations to allow Cygwin builds.
- Perl API [joes]
encode()/decode() were busted with zero-length args. This caused
Apache2::Cookie::new() to segfault on cookie value of "".
- C API [joes]
Add apreq_charset_divine() and eliminate charset offset from return
value of apreq_decode(v).
- C API [joes]
Improve the cp1252-charset heuristics for apreq_decode(v).
- C API [Ralph Mattes]
Add explicit casts for apreq_param_charset_* to keep c++ compilers happy.
---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@perl.apache.org
For additional commands, e-mail: announce-help@perl.apache.org
The Apache Software Foundation and The Apache HTTP Server Project
are pleased to announce the 2.07 release of libapreq2. This
Announcement notes significant changes introduced by this release.
libapreq2-2.07 is released under the Apache License
version 2.0. It is now available through the ASF mirrors
http://httpd.apache.org/apreq/download.cgi
and has entered the CPAN as
file: $CPAN/authors/id/J/JO/JOESUF/libapreq2-2.07.tar.gz
size: 787249 bytes
md5: 6f2e5e4a14e8b190dead0fe91fc13080
libapreq2 is an APR-based shared library used for parsing HTTP cookies,
query-strings and POST data. This package provides
1) version 2.5.7 of the libapreq2 library,
2) mod_apreq2, a filter module necessary for using libapreq2
within the Apache HTTP Server,
3) the Apache2::Request, Apache2::Cookie, and Apache2::Upload
perl modules for using libapreq2 with mod_perl2.
This release contains an important security bugfix which impacts all
previous developer releases of libapreq2. The Common Vulnerabilities
and Exposures project assigned the name CVE-2006-0042 to this issue.
========================================================================
Changes with libapreq2-2.07 (released February 12, 2006)
- C API [joes]
SECURITY: CVE-2006-0042 (cve.mitre.org)
Eliminate potential quadratic behavior in apreq_parse_headers() and
apreq_parse_urlencoded().
- Perl API [Philip M. Gollucci]
Fix Apache2::Cookie->cookies() to comply with its documentation
- C API [Philip M. Gollucci]
Use the APREQ_DEFAULT_READ_LIMIT constant for the read_limit
- C API [Ville Skyttä, Dirk Nehring]
Add explicit cast in apreq_escape()/apreq_util.h to keep
C++ compilers happy.
- C API [joes]
Protect against arbitrary recursion depth in apreq_parse_multipart()
by adding a reasonable compile-time MAX_LEVEL limit.
- C API [joes]
Clean up end-of-file parsing for apreq_parse_multipart(),
conforming to rfc-2046 § 5.1.1.
- Perl API [joes]
Move APR::Request::Param::Table and APR::Request::Cookie::Table
packages to APR::Request module.
- Perl XS [Steve Hay]
Fix compile problems on Win32 without PERL_IMPLICIT_SYS
related to link being an unresolved symbol.
- Perl API [joes]
APR::Request::Cookie::thaw() isn't a class method.
- C API [joes]
Fix off-by-one bug in the continuation-lines portion of the
header parser.
- Perl API [joes]
Move APR::Request::upload to APR::Request, where it belongs.
- Perl XS [Nikolay Ananiev]
Use MP_STATIC declarations to allow Cygwin builds.
- Perl API [joes]
encode()/decode() were busted with zero-length args. This caused
Apache2::Cookie::new() to segfault on cookie value of "".
- C API [joes]
Add apreq_charset_divine() and eliminate charset offset from return
value of apreq_decode(v).
- C API [joes]
Improve the cp1252-charset heuristics for apreq_decode(v).
- C API [Ralph Mattes]
Add explicit casts for apreq_param_charset_* to keep c++ compilers happy.
---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@perl.apache.org
For additional commands, e-mail: announce-help@perl.apache.org