I'll wait until we know that APR 1.3.9 is OK :) On Sep 23, 2009, at 7:24 PM, Graham Leggett wrote:
Hi all, The tarballs are (will soon be) at http://httpd.apache.org/dev/dist/. This release contains fixes for the following security issues: *) SECURITY: CVE-2009-2699 (cve.mitre.org) Fixed in APR 1.3.9. Faulty error handling in the Solaris pollset support (Event Port backend) which could trigger hangs in the prefork and event MPMs on that platform. PR 47645. [Jeff Trawick] *) SECURITY: CVE-2009-3095 (cve.mitre.org) mod_proxy_ftp: sanity check authn credentials. [Stefan Fritsch <sf fritsch.de>, Joe Orton] *) SECURITY: CVE-2009-3094 (cve.mitre.org) mod_proxy_ftp: NULL pointer dereference on error paths. [Stefan Fritsch <sf fritsch.de>, Joe Orton] +/-1 [ ] Release httpd-2.2.14 as GA Regards, Graham --
