As explained at http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22030 there's
a problem with mod_cgi. Whenever a perl script tries to write more than 4096
bytes to STDERR, script execution is stopped, but the process (belonging to that
script) is not terminated. If several scripts of that sort are started then many
processes will still be in the system causing apache to refuse new connections
if max connections has been reached by those scripts. This could be used to
start a denial of service on that server.
I do not use apache myself, but have seen that no one has posted a bug on
bugs.gentoo.org. So you might want to check if this has been fixed in the ebuild
There should be an update at the apache website in the CVS, which resolves that
Reproducible: Didn't try
Steps to Reproduce:
Applies to: apache 2.0.47, mod_cgi
Mandrake has updated packages with the mod_cgi from apache-2.1 cvs:
author firstname.lastname@example.org of the mod_cgi.c mandrake included in their SRPM
notes a problem with it, and says it will be developed a bit further.
There is another workaround however offered by email@example.com... hmm.
looks like no progress is being made upstream on this bug yet..
The previous update introduced an experimental mod_cgi.c that while
fixing the deadlock did not do so in a correct manner and it likewise
introduced new problems with other scripts.
These packages roll back to the original mod_cgi.c until such a time as
the apache team have a proper fix in place. Both Mandrake Linux 9.1
and 9.2 are affected with this problem.
I knew they were going to regret going with that fix they did :-)
I think this was addressed in 2.0.48.
Anybody can confirm/deny?
the apache folks still have their bug open. so i do not believe that it is
addressed in 2.0.48.
still waiting on upstream...
Status update :
No fix in 2.0.49, and apparently this is not top priority in Apache bugzilla. They appear to consider it more a bug than a security problem. Note that to trigger the DoS you need to install a nasty CGI on the server, this cannot be remote-triggered. Downgrading to normal prio.
Status update :
A patch has been posted on Apache bugzilla entry. We should wait for the patch to be included in CVS, and then probably wait for it to be included in an official release, since this is not a serious vuln.
Created attachment 30926 [details, diff]
Diff for mod_cgi.c
Status update : the patch committed to HEAD
We can apply the patch to 2.0.49 or wait for a release that would include this patch. Given the low vuln level, I would say wait for a release.
Patch pointers :
apache herd : your opinion about this ?
My opinnon is better to be safer then sorry.
zul : can we have a patch for 2.0.49 then ?
Thanks in advance :)
Oh I guess so. Added patch.
Thanks zul !
Ready for a GLSA decision...
s390 : please mark 2.0.49-r1 stable if you want to benefit from this GLSA.
Closed without GLSA : it's more a bug than a security issue.