You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jeff Trawick <tr...@gmail.com> on 2010/06/14 19:45:26 UTC
Re: svn propchange: r953418 - svn:log
On Fri, Jun 11, 2010 at 4:58 PM, <wr...@apache.org> wrote:
>
> Author: wrowe
> Revision: 953418
> Modified property: svn:log
>
> Modified: svn:log at Fri Jun 11 20:58:40 2010
> ------------------------------------------------------------------------------
> --- svn:log (original)
> +++ svn:log Fri Jun 11 20:58:40 2010
> @@ -1,2 +1,5 @@
> Use APR_STATUS_IS_TIMEUP instead of direct compare to APR_TIMEUP to
> be more safe on different platforms.
> +
> +PR: 49417
> +Addresses CVE-2010-2068
>
Would it be accurate to add the following paragraph? Some folks may
be bewildered that the vulnerability affects only certain platforms
yet the commit that resolves it modifies platform-independent code.
---cut here---
Note: This commit has an additional, platform-independent change to
mark the back-end connection for closing (
backend->close = 1;) That code is not required to resolve
CVE-2010-2068 on any platform.
---cut here---
Re: svn propchange: r953418 - svn:log
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 6/14/2010 12:45 PM, Jeff Trawick wrote:
> On Fri, Jun 11, 2010 at 4:58 PM, <wr...@apache.org> wrote:
>>
>> Author: wrowe
>> Revision: 953418
>> Modified property: svn:log
>>
>> Modified: svn:log at Fri Jun 11 20:58:40 2010
>> ------------------------------------------------------------------------------
>> --- svn:log (original)
>> +++ svn:log Fri Jun 11 20:58:40 2010
>> @@ -1,2 +1,5 @@
>> Use APR_STATUS_IS_TIMEUP instead of direct compare to APR_TIMEUP to
>> be more safe on different platforms.
>> +
>> +PR: 49417
>> +Addresses CVE-2010-2068
>>
>
> Would it be accurate to add the following paragraph? Some folks may
> be bewildered that the vulnerability affects only certain platforms
> yet the commit that resolves it modifies platform-independent code.
>
> ---cut here---
> Note: This commit has an additional, platform-independent change to
> mark the back-end connection for closing (
>
> backend->close = 1;) That code is not required to resolve
> CVE-2010-2068 on any platform.
> ---cut here---
Feel free to add this to the patches/ files as well. +1