Changes with APR-util 1.5.2
*) Windows: Add command line makefiles. [Gregg Smith]
*) apr_uri_parse(): Do not accept invalid characters in the scheme.
Per RFC 3986 3.3, enforce that the first segment of a relative path does
not contain a colon. PR 52479. [Stefan Fritsch]
*) Fix memory leak in hook sorting function. PR 51256.
[<horowity checkpoint com>]
*) Speedup md5 calculation by avoiding some copying on little endian
architectures. PR 49011. [Stefan Fritsch, Stefan Fuhrmann
<stefanfuhrmann alice-dsl de>]
*) Use heap memory for crypt in apr_password_validate(), to reduce stack
usage. PR 54572. [Stefan Fritsch]
*) Fix password validation failure for all crypt and crypt_r based
algorithms. PR 54603. [Harvey Eneman <harvey.eneman oracle.com>]
*) Fix syntax error in crypto/apr_passwd.c on non-glibc systems. PR 54275.
[Stefan Fritsch]
*) Fix potential data corruption in apr_brigade_write() and friends if
the last bucket of the brigade is a heap bucket that has been split,
and there are still references to the next part of the original bucket
in use. [Stefan Fritsch]
*) Remove duplicated logic in apr_brigade_puts(). PR 53740. [Christophe
Jaillet <christophe jaillet wanadoo fr>]
*) apr_crypto: If --with-crypto is passed to configure but no crypto
libraries are enabled, autodetect available libraries. [Jeff Trawick]
*) memcache: Fix dead server retry logic. [Gavin Shelley <columbusmonkey me.com>]
Changes with APR-util 1.5.1
*) testmemcache: Fix crash. PR 52705. [Peter Poeml <peter poeml de>]
*) MinGW: Support shared builds of apr-util when apr is shared.
PR 46175. [Carlo Bramini <carlo.bramix libero.it>, Jeff Trawick]
*) Add support for Berkeley DB 5.2 and 5.3. Simplify detection script.
PR 53684. [Rainer Jung]
*) configure: Allow to specify library specific custom linker flags
via the LDADD_XXX variables. [Rainer Jung]
*) apr_password_validate(): Fix intermittent errors on systems
such as FreeBSD where the crypt() function is used.
(Broken only in 1.5.0) [Jeff Trawick]
*) Improve platform detection for bundled expat by updating
config.guess and config.sub. [Rainer Jung]
Changes with APR-util 1.5.0
*) dbd_pgsql_escape: Use PQescapeStringConn. [Nick Kew]
*) apr_password_validate, apr_bcrypt_encode: Add support for bcrypt encoded
passwords. The bcrypt implementation uses code from crypt_blowfish
written by Solar Designer <solar openwall com>. apr_bcrypt_encode creates
hashes with "$2y$" prefix, but apr_password_validate also accepts the old
prefix "$2a$". PR 49288. [Stefan Fritsch]
*) APR dbd: Allow to use apr_dbd_get_row() with a different pool than
apr_dbd_select(). PR 53533. [<arthur echo gmail com>]
*) APR dbd FreeTDS support: Fix spurious API errors caused by uninitialized
fields. [TROY.LIU 劉春偉 <TROY.LIU deltaww.com.cn>]
*) apr_password_validate: Increase maximum hash string length to allow
more than 9999 rounds with sha512-crypt. PR 53410. [Stefan Fritsch]
*) Fix segfaults in crypt() and crypt_r() failure modes.
PR 47272. [Arkadiusz Miskiewicz <arekm pld-linux.org>]
*) apr_crypto: Ensure that the if/else that governs the static
initialisation of each crypto driver works when the first driver
isn't in use. [Graham Leggett]
*) apr_crypto: Ensure the *driver variable is initialised when a statically
compiled library is initialised for the first time. [Graham Leggett]
*) apr_crypto: Ensure the *driver variable is initialised when the library
has already been loaded. Fix ported from apr_dbd. [Graham Leggett]
*) apr_crypto: Move the static initialisation of DRIVER_LOAD from
apr_crypto_init() to apr_crypto_get_driver(), so that we don't lose
the parameters. [Graham Leggett]
Changes with APR-util 1.4.3
*) Fix potential data corruption in apr_brigade_write() and friends if
the last bucket of the brigade is a heap bucket that has been split,
and there are still references to the next part of the original bucket
in use. [Stefan Fritsch]
*) Remove duplicated logic in apr_brigade_puts(). PR 53740. [Christophe
Jaillet <christophe jaillet wanadoo fr>]
*) memcache: Fix dead server retry logic. [Gavin Shelley <columbusmonkey me.com>]
*) Improve platform detection for bundled expat by updating
config.guess and config.sub. [Rainer Jung]
*) APR dbd: Allow to use apr_dbd_get_row() with a different pool than
apr_dbd_select(). PR 53533. [<arthur echo gmail com>]
*) APR dbd FreeTDS support: Fix spurious API errors caused by uninitialized
fields. [TROY.LIU 劉春偉 <TROY.LIU deltaww.com.cn>]
*) apr_password_validate: Increase maximum hash string length to allow
more than 9999 rounds with sha512-crypt. PR 53410. [Stefan Fritsch]
*) Fix segfaults in crypt() and crypt_r() failure modes.
PR 47272. [Arkadiusz Miskiewicz <arekm pld-linux.org>]
*) apr_crypto: Ensure that the if/else that governs the static
initialisation of each crypto driver works when the first driver
isn't in use. [Graham Leggett]
*) apr_crypto: Ensure the *driver variable is initialised when a statically
compiled library is initialised for the first time. [Graham Leggett]
*) apr_crypto: Ensure the *driver variable is initialised when the library
has already been loaded. Fix ported from apr_dbd. [Graham Leggett]
Changes with APR-util 1.4.2 (not released)
*) apr_crypto: Move the static initialisation of DRIVER_LOAD from
apr_crypto_init() to apr_crypto_get_driver(), so that we don't lose
the parameters. [Graham Leggett]
- SECURITY: CVE-2010-1623 (cve.mitre.org)
Fix a denial of service attack against apr_brigade_split_line().
[Stefan Fritsch]
- SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org)
Fix two buffer over-read flaws in the bundled copy of expat which
could cause applications to crash while parsing specially-crafted
XML documents. [Joe Orton]
- Upgrade bundled copy of expat library to 1.95.7. [Joe Orton]
- apr_thread_pool: Fix some potential deadlock situations. Bug 49709.
[Joe Mudd <Joe.Mudd sas.com>]
- apr_thread_pool_create: Fix pool corruption caused by multithreaded
use of the pool when multiple initial threads are created. Bug 47843.
[Alex Korobka <akorobka fxcm.com>]
- apr_thread_pool_create(): Only set the output thread pool handle on
success. [Paul Querna]
- DBD ODBC support: Fix memory corruption using apr_dbd_datum_get() with
several different data types, including APR_DBD_TYPE_TIME. Bug 49645.
[<kappa psilambda.com>]
- Add support for Berkeley DB 4.8 and 5.0. Bug 49866, Bug 49179.
[Bernhard Rosenkraenzer <br blankpage.ch>,
Arfrever Frehtes Taifersar Arahesis <arfrever.fta gmail.com>]
- Make bundled expat compatible with libtool 2.x. Bug 49053.
[Rainer Jung]
- Prefer libtool 1.x when searching for libtool in
bundled expat release process. [Rainer Jung, Jim Jagielski]
- Improve platform detection for bundled expat by updating
config.guess and config.sub. [Rainer Jung]
Patch supplied by Mihai Chelaru, approved by Alistair Crooks.
