On 6/14/2010 12:45 PM, Jeff Trawick wrote: > On Fri, Jun 11, 2010 at 4:58 PM, <[email protected]> wrote: >> >> Author: wrowe >> Revision: 953418 >> Modified property: svn:log >> >> Modified: svn:log at Fri Jun 11 20:58:40 2010 >> ------------------------------------------------------------------------------ >> --- svn:log (original) >> +++ svn:log Fri Jun 11 20:58:40 2010 >> @@ -1,2 +1,5 @@ >> Use APR_STATUS_IS_TIMEUP instead of direct compare to APR_TIMEUP to >> be more safe on different platforms. >> + >> +PR: 49417 >> +Addresses CVE-2010-2068 >> > > Would it be accurate to add the following paragraph? Some folks may > be bewildered that the vulnerability affects only certain platforms > yet the commit that resolves it modifies platform-independent code. > > ---cut here--- > Note: This commit has an additional, platform-independent change to > mark the back-end connection for closing ( > > backend->close = 1;) That code is not required to resolve > CVE-2010-2068 on any platform. > ---cut here---
Feel free to add this to the patches/ files as well. +1
