On Mon, Nov 16, 2009 at 6:38 AM, Bill Weir <[email protected]> wrote: > Hi, > > I have downloaded and built Apache-2.2.14, using the bundled apr-1.3.9. On > x86 Solaris I am seeing bad behaviour which looks very like what is > described in https://issues.apache.org/bugzilla/show_bug.cgi?id=48029 (and > maybe also https://issues.apache.org/bugzilla/show_bug.cgi?id=48030 ). As > far as I can see, these bugs are fixed in apr-1.3.10, but I can't find a > release schedule for that. > > I also notice that the APR download page quotes apr-1.3.8 as the best > available version, rather than the apr-1.3.9 that is bundled with > apache-2.2.14. > > So, a bit confused here. The reason I'm building Apache at all is to get a > fix for this vulnerability - > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2699 - which says > that it affects apr-1.3.8 and earlier. But apr-1.3.9 is apparently broken > as well, as discussed above, and I can't find a release schedule for > apr-1.3.10. > > How should I best proceed?
* use the patches in those PRs with APR 1.3.9 * use httpd 2.2.13 with a special port_getn() interposer I wrote which accidentally avoids the PR 48029 issue and doesn't try to fix the theoretical problem that is related to PR 48030 ** attached to this OpenSolaris forum thread: http://opensolaris.org/jive/thread.jspa?messageID=421151 * get the Solaris kernel team to provide a kernel patch for the bugs/design flaws that required special handling to resolve the two PRs you quote above (okay, I'm dreaming)
