Upstream fix: https://github.com/FastCGI-Archives/fcgi2/commit/b0eabcaf4d4f371514891a52115c746815c2ff15

CVE: (none) => CVE-2025-23016
Source RPM: (none) => fcgi-2.4.0-23.mga10.src.rpm, fcgi-2.4.0-22.mga9.src.rpm
Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in 2.4.5 and patch available from upstream

No particular packegr implicated, so assigning globally. This package has had a quiet history with no visible version updates, so that may be simplest.

Assignee: bugsquad => pkg-bugs

Suggested advisory:
========================

The updated packages fix a security vulnerability:

FastCGI fcgi2 (aka fcgi) 2.x through 2.4.4 has an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket. This occurs in ReadParams in fcgiapp.c. (CVE-2025-23016)

References:
https://www.openwall.com/lists/oss-security/2025/04/23/4
========================

Updated packages in core/updates_testing:
========================
fcgi-2.4.0-22.1.mga9
lib(64)fcgi0-2.4.0-22.1.mga9
lib(64)fcgi-devel-2.4.0-22.1.mga9

from SRPM:
fcgi-2.4.0-22.1.mga9.src.rpm

Source RPM: fcgi-2.4.0-23.mga10.src.rpm, fcgi-2.4.0-22.mga9.src.rpm => fcgi-2.4.0-22.mga9.src.rpm
Status comment: Fixed upstream in 2.4.5 and patch available from upstream => (none)
Version: Cauldron => 9
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED

MGA9-64 Plasma Wayland on Compaq H000SB.
No installation issues.
Ref bugs 15808 and 11449, so after installing apache-mod_fcgid I get:
# httpd -M | grep fcgid
 fcgid_module (shared)
So OK to go.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0144.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED