Bug#605484: marked as done (libapache2-mod-fcgid: stack overwrite vulnerability)

Wed, 05 Jan 2011 23:57:25 -0800 

Your message dated Thu, 06 Jan 2011 07:56:20 +0000
with message-id <e1pakho-0001dd...@franck.debian.org>
and subject line Bug#605484: fixed in libapache2-mod-fcgid 1:2.2-1+lenny1
has caused the Debian Bug report #605484,
regarding libapache2-mod-fcgid: stack overwrite vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
605484: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605484
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: libapache2-mod-fcgid
Version: 1:2.2-1
Severity: grave
Tags: security
Justification: user security hole

This was reported in CVE-2010-3872.  Information at:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3872

https://issues.apache.org/bugzilla/show_bug.cgi?id=49406

Of particular note, the code in question appears at line 86 in the
lenny version, and is:

                memcpy(&header + hasread, buffer, putsize);


Our versions in lenny and lenny-backports are both vulnerable.
squeeze and sid are running new enough versions that they aren't.

-- System Information:
Debian Release: 5.0.7
  APT prefers stable
  APT policy: (500, 'stable'), (99, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libapache2-mod-fcgid depends on:
ii  apache2.2-common         2.2.9-10+lenny8 Apache HTTP Server common files
ii  libc6                    2.7-18lenny6    GNU C Library: Shared libraries

libapache2-mod-fcgid recommends no packages.

libapache2-mod-fcgid suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: libapache2-mod-fcgid
Source-Version: 1:2.2-1+lenny1

We believe that the bug you reported is fixed in the latest version of
libapache2-mod-fcgid, which is due to be installed in the Debian FTP archive:

libapache2-mod-fcgid_2.2-1+lenny1.diff.gz
  to main/liba/libapache2-mod-fcgid/libapache2-mod-fcgid_2.2-1+lenny1.diff.gz
libapache2-mod-fcgid_2.2-1+lenny1.dsc
  to main/liba/libapache2-mod-fcgid/libapache2-mod-fcgid_2.2-1+lenny1.dsc
libapache2-mod-fcgid_2.2-1+lenny1_i386.deb
  to main/liba/libapache2-mod-fcgid/libapache2-mod-fcgid_2.2-1+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 605...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tatsuki Sugiura <s...@nemui.org> (supplier of updated libapache2-mod-fcgid 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 03 Dec 2010 19:34:59 +0000
Source: libapache2-mod-fcgid
Binary: libapache2-mod-fcgid
Architecture: source i386
Version: 1:2.2-1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Tatsuki Sugiura <s...@nemui.org>
Changed-By: Tatsuki Sugiura <s...@nemui.org>
Description: 
 libapache2-mod-fcgid - an alternative module compat with mod_fastcgi
Closes: 605484
Changes: 
 libapache2-mod-fcgid (1:2.2-1+lenny1) stable-security; urgency=high
 .
   * Backport fix for CVE-2010-3872 (Closes: #605484);
     FastCGI application can cause heap corruption by long FCGI header.
Checksums-Sha1: 
 fcccb4a52f5ad9069aeca7a7f933357e6e776fa0 1179 
libapache2-mod-fcgid_2.2-1+lenny1.dsc
 c5a3c3eeaac394305472251fe5b310bdf9918088 6960 
libapache2-mod-fcgid_2.2-1+lenny1.diff.gz
 dc817a20ad6528480a441e4b7ad6920ec11c55e0 56954 
libapache2-mod-fcgid_2.2.orig.tar.gz
 ddf279312b84d9d447a6d8b1bbdb9ded0a737655 42624 
libapache2-mod-fcgid_2.2-1+lenny1_i386.deb
Checksums-Sha256: 
 0036df69fb419303cacdbcd6b269a5dbdb5369572e548260bf4408d9bb64f873 1179 
libapache2-mod-fcgid_2.2-1+lenny1.dsc
 a8288fa153a91aa3b84c66e88fdebdc8cfaad269480d828aed7fa0550a6ea300 6960 
libapache2-mod-fcgid_2.2-1+lenny1.diff.gz
 7a0985a120dceb4c6974e8bf216752b0b763ae949f5dfbbf93cc350510e4c80e 56954 
libapache2-mod-fcgid_2.2.orig.tar.gz
 4d2c432b04e4568c7309a561cbd2a10554c000bf633e6da13847351b5c09478e 42624 
libapache2-mod-fcgid_2.2-1+lenny1_i386.deb
Files: 
 c4a3c2bd93b99ec085abe53d3e88042b 1179 net optional 
libapache2-mod-fcgid_2.2-1+lenny1.dsc
 bb791249528687a45ea0b9ef220e284b 6960 net optional 
libapache2-mod-fcgid_2.2-1+lenny1.diff.gz
 ce7d7b16e69643dbd549d43d85025983 56954 net optional 
libapache2-mod-fcgid_2.2.orig.tar.gz
 0c795cf33563e6a7a3bfdfceb4848074 42624 net optional 
libapache2-mod-fcgid_2.2-1+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk0H4OwACgkQYy49rUbZzlrxGwCfVO+5n3OzdY6ZNNFmWHe71sVk
KcEAn2fkgBr8Kv72cDACHXnpje7/RSp2
=PyZQ
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to