Summary: | <www-apache/mod_fcgid-2.3.9: heap overflow (CVE-2013-4365) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ramereth |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.mail-archive.com/dev@httpd.apache.org/msg58077.html | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Hanno Böck
2013-10-08 12:25:57 UTC
(In reply to Hanno Boeck from comment #0) > mod_fcgid 2.3.9 fixes a heap overflow: > http://www.mail-archive.com/dev@httpd.apache.org/msg58077.html > > From upstream release notes: > *) SECURITY: CVE-2013-4365 (cve.mitre.org) > Fix possible heap buffer overwrite. Reported and solved by: > [Robert Matthews <rob tigertech.com>] Please cc the maintainer. CVE-2013-4365 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4365): Heap-based buffer overflow in the fcgid_header_bucket_read function in fcgid_bucket.c in the mod_fcgid module before 2.3.9 for the Apache HTTP Server allows remote attackers to have an unspecified impact via unknown vectors. As this package is maintainer-needed, I've bumped it (and before you ask: I don't intend to become the maintainer). Much appreciated. Arches, please test and mark stable: =www-apache/mod_fcgid-2.3.9 Target arches: amd64 ppc x86 amd64 stable x86 stable ppc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. GLSA Request Filed Maintainer(s), please drop the vulnerable version(s). Dropped old. This issue was resolved and addressed in GLSA 201402-09 at http://security.gentoo.org/glsa/glsa-201402-09.xml by GLSA coordinator Chris Reffett (creffett). |