Fedora has issued an advisory on February 7: https://lists.fedoraproject.org/pipermail/package-announce/2015-April/156731.html Apparently I fixed it in Cauldron on February 25. Patched package uploaded for Mageia 4. Advisory: ======================== Updated fcgi packages fix security vulnerability: FCGI does not perform range checks for file descriptors before use of the FD_SET macro. This FD_SET macro could allow for more than 1024 total file descriptors to be monitored in the closing state. This may allow remote attackers to cause a denial of service (stack memory corruption, and infinite loop or daemon crash) by opening many socket connections to the host and crashing the service (CVE-2012-6687). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6687 https://lists.fedoraproject.org/pipermail/package-announce/2015-April/156731.html ======================== Updated packages in core/updates_testing: ======================== fcgi-2.4.0-15.1.mga4 libfcgi0-2.4.0-15.1.mga4 libfcgi-devel-2.4.0-15.1.mga4 from fcgi-2.4.0-15.1.mga4.src.rpm Reproducible: Steps to Reproduce:
MGA4-32 on Acer D620 Xfce. No installation issues. Repeated test as per bug1449 Comment 1 at CLI as root > httpd -M | grep fcgid fcgid_module (shared)
CC: (none) => herman.viaeneWhiteboard: (none) => MGA4-32-OK
MGA4-64 on HP Probook 6555b KDE No installation issues. I had to install apache-mod_fcgid and then had same result as per Comment 1 .
Whiteboard: MGA4-32-OK => MGA4-64-OK MGA4-32-OK
Neither fcgi or libfcgi0 are not actually required by apache-mod_fcgid surprisingly. $ urpmq --requires apache-mod_fcgid apache libc.so.6()(64bit) libc.so.6(GLIBC_2.14)(64bit) libc.so.6(GLIBC_2.2.5)(64bit) libc.so.6(GLIBC_2.3)(64bit) libc.so.6(GLIBC_2.4)(64bit) Confirmed the patch was applied though and as there are no installation issues and we're short on time we can go with it. It could be more thoroughly tested with mapserver the next time it's updated. https://bugs.mageia.org/show_bug.cgi?id=7061#c3 $ urpmq --whatrequires fcgi fcgi $ urpmq --whatrequires lib64fcgi0 clisp fcgi lib64fcgi-devel lib64fcgi0 mapserver mapserver ruby-fcgi Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0184.html
Status: NEW => RESOLVEDResolution: (none) => FIXED