On Thu, Jul 19, 2007 at 09:06:39AM -0400, Jeff Trawick wrote: > On 7/19/07, Joe Orton <[EMAIL PROTECTED]> wrote: > >On Thu, Jul 19, 2007 at 08:30:37AM -0400, Jeff Trawick wrote: > >> assert( > >> CVE-2007-3304 does not apply to 2.0.x. This commit is a fix in the > >> same general area as the 2.2.x vulnerability and should not have the > >> SECURITY/CVE label. > >> ) > > > >I erroneously claimed that originally, then later found an attack vector > >for -3304 which did work for 2.0.x: > > > >http://mail-archives.apache.org/mod_mbox/httpd-dev/200706.mbox/[EMAIL > >PROTECTED] > > > >The wording above is not really appropriate for CHANGES, I've just fixed > >that. > > thanks for the big clues; any need to fix mitre.org text?
Ah, I didn't realise they had the versions referenced. I've send them a note. joe
