Actually, that was in APR-util 1.6.1, see the APR release announcement and Craig's users@httpd post. On Wed, Oct 25, 2017 at 4:02 PM, Craig Young <cyoung@xxxxxxxxxxxx> wrote: > I’m not sure if this is what is referred to in the Apache 2.4.29 announcement, but please note that the Apache Portable Runtime v1.6.3 release resolved memory safety issues I found in functions used within HTTP server. This was released in conjunction with 2.4.29. > > Using HTTP server linked to prior versions of APR exposes the risks outlined in my email sent to this list on Monday. > > Best Regards, > Craig > > On 10/25/17, 1:05 PM, "Development Manager" <devmanager@xxxxxxxxxxxxxxxxxxxxxx> wrote: > > The 2.4.29 changes document doesn't reference any CVE articles, though the announcement indicates that this is a security release. Are any of the 2.4.29 changes security related? > > Thanks, > Jim > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|