On Fri, Oct 16, 2009 at 5:43 AM, Joe Orton <[email protected]> wrote: > Since there is no specific reference to the fix for CVE-2009-2699 in the > APR change history or elsewhere, can someone (hello Jeff) confirm that > the patch referenced here: > > https://issues.apache.org/bugzilla/show_bug.cgi?id=47645#c13 > > is a sufficient fix for the vulnerability?
https://issues.apache.org/bugzilla/attachment.cgi?id=24161 is okay for applying to older levels. The code changes in APR 1.3.9 were different, however. As far as referencing CVE-2009-2699: That was an httpd vulnerability. Should it be referenced in the APR CHANGES file? Index: CHANGES =================================================================== --- CHANGES (revision 825834) +++ CHANGES (working copy) @@ -23,7 +23,8 @@ [Bojan Smojver] *) Fix error handling in the Solaris pollset support (Event Port backend). - PR 47645. [Jeff Trawick] + This resolves httpd vulnerability CVE-2009-2699. PR 47645. + [Jeff Trawick] *) Add the remainder of this fix from trunk: Fix Solaris poll failure. PR 43000
