FS#44562 : [fcgi] CVE-2012-6687 (DOS vulnerability)

FS#44562 - [fcgi] CVE-2012-6687 (DOS vulnerability)

Attached to Project: Arch Linux
Opened by Pascal Ernster (hardfalcon) - Sunday, 12 April 2015, 18:07 GMT
Last edited by Pierre Schmitz (Pierre) - Saturday, 16 May 2015, 11:40 GMT

Task Type	Bug Report
Category	Packages: Extra
Status	Closed
Assigned To	Pierre Schmitz (Pierre)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:
fcgi 2.4.0 is prone to a DOS vulnerability as described in CVE-2012-6687:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6687

The folks at Debian, Ubuntu and Redhat/Fedora have patched their packages already in February 2015:

https://bugs.launchpad.net/ubuntu/+source/libfcgi/+bug/933417

Please note though that their patch does *NOT* seem to be complete as it still lets one select() call unchanged while replacing 2 others with poll() calls:

https://bugs.launchpad.net/ubuntu/+source/libfcgi/+bug/933417/comments/5
https://launchpadlibrarian.net/93064712/poll.patch

Additional info:
* fcgi 2.4.0-9 (package build date: 2013-10-20)

This task depends upon

Closed by Pierre Schmitz (Pierre)
Saturday, 16 May 2015, 11:40 GMT
Reason for closing: Fixed

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#44562 - [fcgi] CVE-2012-6687 (DOS vulnerability)

Details

Loading...