Summary: | <www-apache/mod_fcgid-2.3.6: Stack buffer overflow vulnerability (CVE-2010-3872) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
Component: | Vulnerabilities | Assignee: | Lance Albertson (RETIRED) <ramereth> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | security |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://svn.apache.org/repos/asf/httpd/mod_fcgid/trunk/CHANGES-FCGID | ||
Whiteboard: | B1? [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Stefan Behte (RETIRED)
2010-11-08 14:25:23 UTC
Bumped in portage. Arches, please test and mark stable: =www-apache/mod_fcgid-2.3.6 Target keywords : "amd64 ppc x86" amd64/x86 stable ppc stable, last arch done Thanks, folks. GLSA request filed. CVE-2010-3872 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3872): The apr_status_t fcgid_header_bucket_read function in fcgid_bucket.c in Apache mod_fcgid before 2.3.6 does not use bytewise pointer arithmetic in certain circumstances, which has unknown impact and attack vectors related to "untrusted FastCGI applications" and a "stack buffer overwrite." This issue was resolved and addressed in GLSA 201207-09 at http://security.gentoo.org/glsa/glsa-201207-09.xml by GLSA coordinator Sean Amoss (ackle). |