On Thu, Jul 19, 2007 at 08:30:37AM -0400, Jeff Trawick wrote: > On 7/14/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > >Author: sctemme > >Date: Sat Jul 14 10:03:18 2007 > >New Revision: 556298 > > > >URL: http://svn.apache.org/viewvc?view=rev&rev=556298 > >Log: > >Backport of 2.0.x PID table problem fix > > >+ *) SECURITY: CVE-2007-3304 (cve.mitre.org) > >+ scoreboard pid protection fixes -- the only fix for 2.0.x is > >+ to ensure a valid positive pid is passed to apr_proc_wait(); > >+ the MPMs do not kill children directly as in 2.2.x. > > assert( > CVE-2007-3304 does not apply to 2.0.x. This commit is a fix in the > same general area as the 2.2.x vulnerability and should not have the > SECURITY/CVE label. > )
I erroneously claimed that originally, then later found an attack vector for -3304 which did work for 2.0.x: http://mail-archives.apache.org/mod_mbox/httpd-dev/200706.mbox/[EMAIL PROTECTED] The wording above is not really appropriate for CHANGES, I've just fixed that. Regards, joe
