Bug 17823

Summary: perl-FCGI missing update for CVE-2012-6687
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/642646/
Whiteboard: has_procedure advisory mga5-64-ok
Source RPM: perl-FCGI-0.770.0-4.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-02-25 19:29:05 CET 
Debian-LTS has issued an advisory today (February 25):
http://lwn.net/Alerts/677312/

We fixed this issue in fcgi in Bug 15808, but perl-FCGI bundles the same code.

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated fcgi packages fix security vulnerability:

FCGI does not perform range checks for file descriptors before use of the
FD_SET macro.  This FD_SET macro could allow for more than 1024 total file
descriptors to be monitored in the closing state. This may allow remote
attackers to cause a denial of service (stack memory corruption, and infinite
loop or daemon crash) by opening many socket connections to the host and
crashing the service (CVE-2012-6687).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6687
http://lwn.net/Alerts/677312/
========================

Updated packages in core/updates_testing:
========================
perl-FCGI-0.770.0-4.1.mga5

from perl-FCGI-0.770.0-4.1.mga5.src.rpm
Comment 1 claire robinson 2016-03-01 12:58:04 CET 
Testing complete mga5 64

$ urpmq --whatrequires perl-FCGI
astpp
astpp
munin-master
munin-master
perl-CGI-Fast
perl-CGI-Fast
perl-Continuity
perl-Continuity
perl-FCGI
perl-FCGI-Daemon
perl-FCGI-Daemon
perl-Plack
perl-Plack
perl-Plack
perl-Plack

astpp can (in theory) be used to test this package. In theory because it depends on freeswitch which is currently borked - bug 17252

Just ensuring perl-FCGI package can be installed/updated without issue, which it can.

# rpm -q perl-FCGI
perl-FCGI-0.770.0-4.1.mga5

Whiteboard: (none) => has_procedure mga5-64-ok

Comment 2 claire robinson 2016-03-01 19:24:32 CET 
Advisory uploaded.

Whiteboard: has_procedure mga5-64-ok => has_procedure advisory mga5-64-ok

Comment 3 claire robinson 2016-03-02 18:17:59 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2016-03-02 19:30:20 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0089.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED