Debian has issued an advisory tomorrow (October 12): http://lists.debian.org/debian-security-announce/2013/msg00189.html The issue was fixed upstream in 2.3.9. Updated packages uploaded for Mageia 3 and Cauldron. Patched package uploaded for Mageia 2. Advisory: ======================== Updated apache-mod_fcgid package fixes security vulnerability: Apache mod_fcgid before version 2.3.9 fails to perform adequate boundary checks on user-supplied input. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code (CVE-2013-4365). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4365 http://www.mail-archive.com/dev%40httpd.apache.org/msg58077.html http://www.debian.org/security/2013/dsa-2778 ======================== Updated packages in core/updates_testing: ======================== apache-mod_fcgid-2.3.6-2.2.mga2 apache-mod_fcgid-2.3.9-1.mga3 from SRPMS: apache-mod_fcgid-2.3.6-2.2.mga2.src.rpm apache-mod_fcgid-2.3.9-1.mga3.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA2TOO
Testing complete mga3 32 & 64 Just checking the module loads ok # httpd -M | grep fcgid fcgid_module (shared)
Whiteboard: MGA2TOO => MGA2TOO mga3-32-ok mga3-64-ok
Testing complete mga2 32 & 64 Same procedure.
Whiteboard: MGA2TOO mga3-32-ok mga3-64-ok => MGA2TOO mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
Validating. Advisory uploaded. Could sysadmin please push from 2&3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
URL: (none) => http://lwn.net/Vulnerabilities/570329/
Update pushed: http://advisories.mageia.org/MGASA-2013-0313.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED