Debian-LTS has issued an advisory today (February 25): http://lwn.net/Alerts/677312/ We fixed this issue in fcgi in Bug 15808, but perl-FCGI bundles the same code. Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated fcgi packages fix security vulnerability: FCGI does not perform range checks for file descriptors before use of the FD_SET macro. This FD_SET macro could allow for more than 1024 total file descriptors to be monitored in the closing state. This may allow remote attackers to cause a denial of service (stack memory corruption, and infinite loop or daemon crash) by opening many socket connections to the host and crashing the service (CVE-2012-6687). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6687 http://lwn.net/Alerts/677312/ ======================== Updated packages in core/updates_testing: ======================== perl-FCGI-0.770.0-4.1.mga5 from perl-FCGI-0.770.0-4.1.mga5.src.rpm
Testing complete mga5 64 $ urpmq --whatrequires perl-FCGI astpp astpp munin-master munin-master perl-CGI-Fast perl-CGI-Fast perl-Continuity perl-Continuity perl-FCGI perl-FCGI-Daemon perl-FCGI-Daemon perl-Plack perl-Plack perl-Plack perl-Plack astpp can (in theory) be used to test this package. In theory because it depends on freeswitch which is currently borked - bug 17252 Just ensuring perl-FCGI package can be installed/updated without issue, which it can. # rpm -q perl-FCGI perl-FCGI-0.770.0-4.1.mga5
Whiteboard: (none) => has_procedure mga5-64-ok
Advisory uploaded.
Whiteboard: has_procedure mga5-64-ok => has_procedure advisory mga5-64-ok
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0089.html
Status: NEW => RESOLVEDResolution: (none) => FIXED