As explained at http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22030 there's a problem with mod_cgi. Whenever a perl script tries to write more than 4096 bytes to STDERR, script execution is stopped, but the process (belonging to that script) is not terminated. If several scripts of that sort are started then many processes will still be in the system causing apache to refuse new connections if max connections has been reached by those scripts. This could be used to start a denial of service on that server. I do not use apache myself, but have seen that no one has posted a bug on bugs.gentoo.org. So you might want to check if this has been fixed in the ebuild of apache. There should be an update at the apache website in the CVS, which resolves that problem. Reproducible: Didn't try Steps to Reproduce: 1. 2. 3. Applies to: apache 2.0.47, mod_cgi
Mandrake has updated packages with the mod_cgi from apache-2.1 cvs: http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:096
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22030 author trawick@apache.org of the mod_cgi.c mandrake included in their SRPM notes a problem with it, and says it will be developed a bit further. There is another workaround however offered by bbb@cpan.org... hmm.
looks like no progress is being made upstream on this bug yet..
Mandrake Update: The previous update introduced an experimental mod_cgi.c that while fixing the deadlock did not do so in a correct manner and it likewise introduced new problems with other scripts. These packages roll back to the original mod_cgi.c until such a time as the apache team have a proper fix in place. Both Mandrake Linux 9.1 and 9.2 are affected with this problem. -- I knew they were going to regret going with that fix they did :-)
http://bugs.gentoo.org/show_bug.cgi?id=32271
I think this was addressed in 2.0.48. Anybody can confirm/deny?
the apache folks still have their bug open. so i do not believe that it is addressed in 2.0.48. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22030 still waiting on upstream...
Status update : No fix in 2.0.49, and apparently this is not top priority in Apache bugzilla. They appear to consider it more a bug than a security problem. Note that to trigger the DoS you need to install a nasty CGI on the server, this cannot be remote-triggered. Downgrading to normal prio. -K
Status update : A patch has been posted on Apache bugzilla entry. We should wait for the patch to be included in CVS, and then probably wait for it to be included in an official release, since this is not a serious vuln. -K
Created attachment 30926 [details, diff] Diff for mod_cgi.c Status update : the patch committed to HEAD
We can apply the patch to 2.0.49 or wait for a release that would include this patch. Given the low vuln level, I would say wait for a release. Patch pointers : http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22030 http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/generators/mod_cgi.c apache herd : your opinion about this ?
My opinnon is better to be safer then sorry.
zul : can we have a patch for 2.0.49 then ? Thanks in advance :)
Oh I guess so. Added patch.
Thanks zul ! Ready for a GLSA decision... s390 : please mark 2.0.49-r1 stable if you want to benefit from this GLSA.
Closed without GLSA : it's more a bug than a security issue.
