there appears to be at least a denial-of-service vulnerability in fcgi:
Can someone pleas assign a CVE id to this, to make sure that other
distributions notice this problem as well.
Unfortunately it looks like fastcgi upstream now died, as their mailing
list is not reachable anymore:
So if someone knows how to contact them, please forward them this
It is reported that fcgi will segmentation fault when 1000 connections are
established due to use of select() rather than poll().
working on it
The patch provided does not applies cleanly to our version of fcgi (it is a snapshot). I ported it and revbumped to =dev-libs/fcgi-2.4.1_pre0910052249-r2.
(In reply to Rafael Martins from comment #2)
> The patch provided does not applies cleanly to our version of fcgi (it is a
> snapshot). I ported it and revbumped to
Thanks. Is it ready for stabilization?
(In reply to Kristian Fiskerstrand from comment #3)
> (In reply to Rafael Martins from comment #2)
> > The patch provided does not applies cleanly to our version of fcgi (it is a
> > snapshot). I ported it and revbumped to
> > =dev-libs/fcgi-2.4.1_pre0910052249-r2.
> Thanks. Is it ready for stabilization?
i think so
Arches, please stabilize:
Stable arches: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
Maintainer(s), please cleanup.
Security, please vote.
Arches, Thank you for your work.
First Vote: No
Maintainer(s), please drop the vulnerable version(s).
vulnerable ebuild removed. thanks
Arches and Maintainer(s), Thank you for your work.
GLSA vote: no.
Closing as [noglsa]
FastCGI (aka fcgi and libfcgi) 2.4.0 allows remote attackers to cause a
denial of service (segmentation fault and crash) via a large number of