CVE-2009-2699 - Solaris port fix

Since there is no specific reference to the fix for CVE-2009-2699 in the
APR change history or elsewhere, can someone (hello Jeff) confirm that
the patch referenced here:

 https://issues.apache.org/bugzilla/show_bug.cgi?id=47645#c13

is a sufficient fix for the vulnerability?

Regards, Joe

On Fri, Oct 16, 2009 at 5:43 AM, Joe Orton <jorton@...> wrote:
> Since there is no specific reference to the fix for CVE-2009-2699 in the
> APR change history or elsewhere, can someone (hello Jeff) confirm that
> the patch referenced here:
>
>  https://issues.apache.org/bugzilla/show_bug.cgi?id=47645#c13
>
> is a sufficient fix for the vulnerability?

https://issues.apache.org/bugzilla/attachment.cgi?id=24161 is okay for
applying to older levels.

The code changes in APR 1.3.9 were different, however.

As far as referencing CVE-2009-2699: That was an httpd vulnerability.
Should it be referenced in the APR CHANGES file?

Index: CHANGES
===================================================================
--- CHANGES (revision 825834)
+++ CHANGES (working copy)
@@ -23,7 +23,8 @@
      [Bojan Smojver]

   *) Fix error handling in the Solaris pollset support (Event Port backend).
-     PR 47645.  [Jeff Trawick]
+     This resolves httpd vulnerability CVE-2009-2699.  PR 47645.
+     [Jeff Trawick]

   *) Add the remainder of this fix from trunk:
      Fix Solaris poll failure.  PR 43000

On Fri, Oct 16, 2009 at 6:21 AM, Jeff Trawick <trawick@...> wrote:
FWIW, I have a interposer library to LD_PRELOAD that I've given to a
number of people to resolve this problem.  It is available upon
request.