On 7/19/07, Joe Orton <[EMAIL PROTECTED]> wrote:
On Thu, Jul 19, 2007 at 08:30:37AM -0400, Jeff Trawick wrote:
> On 7/14/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> >Author: sctemme
> >Date: Sat Jul 14 10:03:18 2007
> >New Revision: 556298
> >
> >URL: http://svn.apache.org/viewvc?view=rev&rev=556298
> >Log:
> >Backport of 2.0.x PID table problem fix
>
> >+ *) SECURITY: CVE-2007-3304 (cve.mitre.org)
> >+ scoreboard pid protection fixes -- the only fix for 2.0.x is
> >+ to ensure a valid positive pid is passed to apr_proc_wait();
> >+ the MPMs do not kill children directly as in 2.2.x.
>
> assert(
> CVE-2007-3304 does not apply to 2.0.x. This commit is a fix in the
> same general area as the 2.2.x vulnerability and should not have the
> SECURITY/CVE label.
> )
I erroneously claimed that originally, then later found an attack vector
for -3304 which did work for 2.0.x:
http://mail-archives.apache.org/mod_mbox/httpd-dev/200706.mbox/[EMAIL PROTECTED]
The wording above is not really appropriate for CHANGES, I've just fixed
that.
thanks for the big clues; any need to fix mitre.org text?
