From dev-return-22441-apmail-apr-dev-archive=apr.apache.org@apr.apache.org Fri Oct 16 10:53:04 2009 Return-Path: Delivered-To: apmail-apr-dev-archive@www.apache.org Received: (qmail 59742 invoked from network); 16 Oct 2009 10:53:03 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 16 Oct 2009 10:53:03 -0000 Received: (qmail 13985 invoked by uid 500); 16 Oct 2009 10:53:03 -0000 Delivered-To: apmail-apr-dev-archive@apr.apache.org Received: (qmail 13910 invoked by uid 500); 16 Oct 2009 10:53:03 -0000 Mailing-List: contact dev-help@apr.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Id: Delivered-To: mailing list dev@apr.apache.org Received: (qmail 13899 invoked by uid 99); 16 Oct 2009 10:53:03 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 16 Oct 2009 10:53:03 +0000 X-ASF-Spam-Status: No, hits=-2.6 required=5.0 tests=AWL,BAYES_00 X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of trawick@gmail.com designates 72.14.220.154 as permitted sender) Received: from [72.14.220.154] (HELO fg-out-1718.google.com) (72.14.220.154) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 16 Oct 2009 10:53:00 +0000 Received: by fg-out-1718.google.com with SMTP id 22so193333fge.13 for ; Fri, 16 Oct 2009 03:52:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=xDMP6AXPLejOBGpIbhmBU5qwEDyx4JYCUMLZqUxKDw8=; b=un7j9y3RvR3PZVd0QSHwlG2BIk8gA64JNhJwNpLn86yS8N1yQ27OGdwYtXQ4NVIMhV p0MwDQD2qQAVBeFpAKE40Rrp1RmvKC4QsIA4Wj+2vi+ZIbni15WJG/xVL1jr6nKXgJEZ R9zgMA1GnCHQirbZW/DwQYCPib7VzyiUpNuTQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=pJm8U9CnkTsLoF9nrwAtumXefn2ddTxkXpgSYrK1LdnIqtVxvztPEn3QHZ9JwgtEDy KwPwKRKfOt5MXMsATbOf3PtwEM90nWq7jd7Obta+wVvLAp9QhbUGlON84hzusy+U7qiT tFY+QwTIXF/kmEn8nRi7Lv9MSKm81qCuttr04= MIME-Version: 1.0 Received: by 10.86.169.3 with SMTP id r3mr1108480fge.15.1255690359351; Fri, 16 Oct 2009 03:52:39 -0700 (PDT) In-Reply-To: References: <20091016094309.GD3128@redhat.com> Date: Fri, 16 Oct 2009 06:52:39 -0400 Message-ID: Subject: Re: CVE-2009-2699 - Solaris port fix From: Jeff Trawick To: dev@apr.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On Fri, Oct 16, 2009 at 6:21 AM, Jeff Trawick wrote: > On Fri, Oct 16, 2009 at 5:43 AM, Joe Orton wrote: >> Since there is no specific reference to the fix for CVE-2009-2699 in the >> APR change history or elsewhere, can someone (hello Jeff) confirm that >> the patch referenced here: >> >> =A0https://issues.apache.org/bugzilla/show_bug.cgi?id=3D47645#c13 >> >> is a sufficient fix for the vulnerability? > > https://issues.apache.org/bugzilla/attachment.cgi?id=3D24161 is okay for > applying to older levels. > FWIW, I have a interposer library to LD_PRELOAD that I've given to a number of people to resolve this problem. It is available upon request.