apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: CVE-2009-2699 - Solaris port fix
Date Fri, 16 Oct 2009 10:21:14 GMT
On Fri, Oct 16, 2009 at 5:43 AM, Joe Orton <jorton@redhat.com> wrote:
> Since there is no specific reference to the fix for CVE-2009-2699 in the
> APR change history or elsewhere, can someone (hello Jeff) confirm that
> the patch referenced here:
>
>  https://issues.apache.org/bugzilla/show_bug.cgi?id=47645#c13
>
> is a sufficient fix for the vulnerability?

https://issues.apache.org/bugzilla/attachment.cgi?id=24161 is okay for
applying to older levels.

The code changes in APR 1.3.9 were different, however.

As far as referencing CVE-2009-2699: That was an httpd vulnerability.
Should it be referenced in the APR CHANGES file?

Index: CHANGES
===================================================================
--- CHANGES	(revision 825834)
+++ CHANGES	(working copy)
@@ -23,7 +23,8 @@
      [Bojan Smojver]

   *) Fix error handling in the Solaris pollset support (Event Port backend).
-     PR 47645.  [Jeff Trawick]
+     This resolves httpd vulnerability CVE-2009-2699.  PR 47645.
+     [Jeff Trawick]

   *) Add the remainder of this fix from trunk:
      Fix Solaris poll failure.  PR 43000

Mime
View raw message