Bug 11449

Summary: apache-mod_fcgid new security issue CVE-2013-4365
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/570329/
Whiteboard: MGA2TOO mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
Source RPM: apache-mod_fcgid-2.3.7-2.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-10-12 01:37:51 CEST 
Debian has issued an advisory tomorrow (October 12):
http://lists.debian.org/debian-security-announce/2013/msg00189.html

The issue was fixed upstream in 2.3.9.

Updated packages uploaded for Mageia 3 and Cauldron.

Patched package uploaded for Mageia 2.

Advisory:
========================

Updated apache-mod_fcgid package fixes security vulnerability:

Apache mod_fcgid before version 2.3.9 fails to perform adequate boundary checks
on user-supplied input. This may allow a remote attacker to cause a heap-based
buffer overflow, resulting in a denial of service or potentially allowing the
execution of arbitrary code (CVE-2013-4365).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4365
http://www.mail-archive.com/dev%40httpd.apache.org/msg58077.html
http://www.debian.org/security/2013/dsa-2778
========================

Updated packages in core/updates_testing:
========================
apache-mod_fcgid-2.3.6-2.2.mga2
apache-mod_fcgid-2.3.9-1.mga3

from SRPMS:
apache-mod_fcgid-2.3.6-2.2.mga2.src.rpm
apache-mod_fcgid-2.3.9-1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2013-10-12 01:38:00 CEST

Whiteboard: (none) => MGA2TOO

Comment 1 claire robinson 2013-10-14 09:04:45 CEST 
Testing complete mga3 32 & 64

Just checking the module loads ok

# httpd -M | grep fcgid
 fcgid_module (shared)

Whiteboard: MGA2TOO => MGA2TOO mga3-32-ok mga3-64-ok

Comment 2 claire robinson 2013-10-14 09:22:11 CEST 
Testing complete mga2 32 & 64

Same procedure.

Whiteboard: MGA2TOO mga3-32-ok mga3-64-ok => MGA2TOO mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok

Comment 3 claire robinson 2013-10-14 09:29:00 CEST 
Validating. Advisory uploaded.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

David Walser 2013-10-14 18:42:47 CEST

URL: (none) => http://lwn.net/Vulnerabilities/570329/

Comment 4 Thomas Backlund 2013-10-17 22:07:34 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0313.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED