Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 53543 invoked from network); 19 Jul 2007 13:07:29 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 19 Jul 2007 13:07:29 -0000 Received: (qmail 28991 invoked by uid 500); 19 Jul 2007 13:07:03 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 28970 invoked by uid 500); 19 Jul 2007 13:07:03 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 28956 invoked by uid 99); 19 Jul 2007 13:07:03 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Jul 2007 06:07:03 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of trawick@gmail.com designates 66.249.92.172 as permitted sender) Received: from [66.249.92.172] (HELO ug-out-1314.google.com) (66.249.92.172) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Jul 2007 06:07:00 -0700 Received: by ug-out-1314.google.com with SMTP id c2so444013ugf for ; Thu, 19 Jul 2007 06:06:39 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=mJ/Cp8npFVz9ZOcvtiXbe5vlqeMOqkyKHQ8JGewhjtR2aVdonzmYh1nmsRE/NiQd0Y3O+quhDV0rBX5bNXUTfj850xdzMzhSwc58O3T+r8vxeOGNDCkMf0km7sU6xcG79+vpww+RlPFqI++qgpgc5q+c70JnoKJLSDI7yroQu8s= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=J95zclfgQDSmLo+Dcb+UTEEmD8Q8iQHScAlLZXSzO31RYMK8GR/mG9pQ2Z23PLYU9eIdYuE92alVpo6pCAjXDoWei/zmiR/daycCQy455D/GvQJF0rKgL42qpK0uxw2AgGjQI2OFFffdyb+XgCBN7v4FRufWpaNW1JzuwXXKWM8= Received: by 10.78.138.6 with SMTP id l6mr737675hud.1184850399170; Thu, 19 Jul 2007 06:06:39 -0700 (PDT) Received: by 10.78.183.8 with HTTP; Thu, 19 Jul 2007 06:06:39 -0700 (PDT) Message-ID: Date: Thu, 19 Jul 2007 09:06:39 -0400 From: "Jeff Trawick" To: dev@httpd.apache.org Subject: Re: svn commit: r556298 - in /httpd/httpd/branches/2.0.x: CHANGES STATUS server/mpm_common.c In-Reply-To: <20070719125757.GA21384@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070714170319.46BA01A981A@eris.apache.org> <20070719125757.GA21384@redhat.com> X-Virus-Checked: Checked by ClamAV on apache.org On 7/19/07, Joe Orton wrote: > On Thu, Jul 19, 2007 at 08:30:37AM -0400, Jeff Trawick wrote: > > On 7/14/07, sctemme@apache.org wrote: > > >Author: sctemme > > >Date: Sat Jul 14 10:03:18 2007 > > >New Revision: 556298 > > > > > >URL: http://svn.apache.org/viewvc?view=rev&rev=556298 > > >Log: > > >Backport of 2.0.x PID table problem fix > > > > >+ *) SECURITY: CVE-2007-3304 (cve.mitre.org) > > >+ scoreboard pid protection fixes -- the only fix for 2.0.x is > > >+ to ensure a valid positive pid is passed to apr_proc_wait(); > > >+ the MPMs do not kill children directly as in 2.2.x. > > > > assert( > > CVE-2007-3304 does not apply to 2.0.x. This commit is a fix in the > > same general area as the 2.2.x vulnerability and should not have the > > SECURITY/CVE label. > > ) > > I erroneously claimed that originally, then later found an attack vector > for -3304 which did work for 2.0.x: > > http://mail-archives.apache.org/mod_mbox/httpd-dev/200706.mbox/%3c20070629141032.GA15192@redhat.com%3e > > The wording above is not really appropriate for CHANGES, I've just fixed > that. thanks for the big clues; any need to fix mitre.org text?