httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Trawick" <traw...@gmail.com>
Subject Re: svn commit: r556298 - in /httpd/httpd/branches/2.0.x: CHANGES STATUS server/mpm_common.c
Date Thu, 19 Jul 2007 13:06:39 GMT
On 7/19/07, Joe Orton <jorton@redhat.com> wrote:
> On Thu, Jul 19, 2007 at 08:30:37AM -0400, Jeff Trawick wrote:
> > On 7/14/07, sctemme@apache.org <sctemme@apache.org> wrote:
> > >Author: sctemme
> > >Date: Sat Jul 14 10:03:18 2007
> > >New Revision: 556298
> > >
> > >URL: http://svn.apache.org/viewvc?view=rev&rev=556298
> > >Log:
> > >Backport of 2.0.x PID table problem fix
> >
> > >+  *) SECURITY: CVE-2007-3304 (cve.mitre.org)
> > >+     scoreboard pid protection fixes -- the only fix for 2.0.x is
> > >+     to ensure a valid positive pid is passed to apr_proc_wait();
> > >+     the MPMs do not kill children directly as in 2.2.x.
> >
> > assert(
> > CVE-2007-3304 does not apply to 2.0.x.  This commit is a fix in the
> > same general area as the 2.2.x vulnerability and should not have the
> > SECURITY/CVE label.
> > )
>
> I erroneously claimed that originally, then later found an attack vector
> for -3304 which did work for 2.0.x:
>
> http://mail-archives.apache.org/mod_mbox/httpd-dev/200706.mbox/%3c20070629141032.GA15192@redhat.com%3e
>
> The wording above is not really appropriate for CHANGES, I've just fixed
> that.

thanks for the big clues; any need to fix mitre.org text?

Mime
View raw message