Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#44562 - [fcgi] CVE-2012-6687 (DOS vulnerability)
Attached to Project:
Arch Linux
Opened by Pascal Ernster (hardfalcon) - Sunday, 12 April 2015, 18:07 GMT
Last edited by Pierre Schmitz (Pierre) - Saturday, 16 May 2015, 11:40 GMT
Opened by Pascal Ernster (hardfalcon) - Sunday, 12 April 2015, 18:07 GMT
Last edited by Pierre Schmitz (Pierre) - Saturday, 16 May 2015, 11:40 GMT
|
DetailsDescription:
fcgi 2.4.0 is prone to a DOS vulnerability as described in CVE-2012-6687: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6687 The folks at Debian, Ubuntu and Redhat/Fedora have patched their packages already in February 2015: https://bugs.launchpad.net/ubuntu/+source/libfcgi/+bug/933417 Please note though that their patch does *NOT* seem to be complete as it still lets one select() call unchanged while replacing 2 others with poll() calls: https://bugs.launchpad.net/ubuntu/+source/libfcgi/+bug/933417/comments/5 https://launchpadlibrarian.net/93064712/poll.patch Additional info: * fcgi 2.4.0-9 (package build date: 2013-10-20) |
This task depends upon