tags 615814 + security patch thanks #615814 appears to be an opportunity for a denial of service attack, since explicitly declared process limits are not respected.
Despite not having yet released 2.3.7, upstream is clearly aware of the bug in 2.3.6, since they committed a fix for it back in November of 2010 (the same fix provided by Miguel Cabeça): 0 dkg@pip:~$ svn diff -r1037726:1037727 https://svn.apache.org/repos/asf/httpd/mod_fcgid/trunk Index: CHANGES-FCGID =================================================================== --- CHANGES-FCGID (revision 1037726) +++ CHANGES-FCGID (revision 1037727) @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with mod_fcgid 2.3.7 + *) Fix regression in 2.3.6 which broke process controls when using vhost- + specific configuration. [Jeff Trawick] + *) Account for first process in class in the spawn score. [Jeff Trawick] Changes with mod_fcgid 2.3.6 Index: modules/fcgid/fcgid_spawn_ctl.c =================================================================== --- modules/fcgid/fcgid_spawn_ctl.c (revision 1037726) +++ modules/fcgid/fcgid_spawn_ctl.c (revision 1037727) @@ -178,7 +178,7 @@ if (current_node->inode == command->inode && current_node->deviceid == command->deviceid && !strcmp(current_node->cmdline, command->cmdline) - && current_node->vhost_id == sconf->vhost_id + && current_node->vhost_id == command->vhost_id && current_node->uid == command->uid && current_node->gid == command->gid) break; 0 dkg@pip:~$ svn log -r1037727 https://svn.apache.org/repos/asf/httpd/mod_fcgid/trunk ------------------------------------------------------------------------ r1037727 | trawick | 2010-11-22 09:08:29 -0500 (Mon, 22 Nov 2010) | 7 lines Fix regression in 2.3.6 which broke process controls when using vhost- specific configuration. vhost_id was referenced from the wrong structure, and never matched unless there were no vhost-specific directives in the vhost of the request. ------------------------------------------------------------------------ 0 dkg@pip:~$ I've prepared an NMU for unstable and i'm uploading it to DELAYED/5 (see the attached debdiff). I'd like to offer the same fix for either the security archive or the next stable point release, since currently debian stable systems running mod_fcgid are vulnerable to denial of service attacks by memory exhaustion where this limit is not respected. Security folks, would you accept this as a security upload for squeeze, or should i fall back to the release-team for the next point release? I don't think i've ever prepared a DSA before, but i'm prepared to learn if you think that's reasonable. --dkg
diff -u libapache2-mod-fcgid-2.3.6/debian/changelog libapache2-mod-fcgid-2.3.6/debian/changelog --- libapache2-mod-fcgid-2.3.6/debian/changelog +++ libapache2-mod-fcgid-2.3.6/debian/changelog @@ -1,3 +1,11 @@ +libapache2-mod-fcgid (1:2.3.6-1.1) unstable; urgency=low + + * Non-maintainer upload. + * import r1037727 from upstream to fix vhost-specific process controls + (Closes: #615814) + + -- Daniel Kahn Gillmor <[email protected]> Wed, 07 Mar 2012 17:00:08 -0500 + libapache2-mod-fcgid (1:2.3.6-1) unstable; urgency=low * New upstream release (Closes: #595276) diff -u libapache2-mod-fcgid-2.3.6/debian/patches/00list libapache2-mod-fcgid-2.3.6/debian/patches/00list --- libapache2-mod-fcgid-2.3.6/debian/patches/00list +++ libapache2-mod-fcgid-2.3.6/debian/patches/00list @@ -1,0 +2 @@ +20_honor_FcgidMaxProcessesPerClass_setting.dpatch only in patch2: unchanged: --- libapache2-mod-fcgid-2.3.6.orig/debian/patches/20_honor_FcgidMaxProcessesPerClass_setting.dpatch +++ libapache2-mod-fcgid-2.3.6/debian/patches/20_honor_FcgidMaxProcessesPerClass_setting.dpatch @@ -0,0 +1,26 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 20_honor_FcgidMaxProcessesPerClass_setting.dpatch by <[email protected]> +## +## DP: See r1037727 from https://svn.apache.org/repos/asf/httpd/mod_fcgid/trunk by trawick: +## DP: +## DP: Fix regression in 2.3.6 which broke process controls when using vhost- +## DP: specific configuration. +## DP: +## DP: vhost_id was referenced from the wrong structure, and never matched +## DP: unless there were no vhost-specific directives in the vhost of the +## DP: request. + + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' libapache2-mod-fcgid-2.3.6~/modules/fcgid/fcgid_spawn_ctl.c libapache2-mod-fcgid-2.3.6/modules/fcgid/fcgid_spawn_ctl.c +--- libapache2-mod-fcgid-2.3.6~/modules/fcgid/fcgid_spawn_ctl.c 2011-08-19 17:13:22.982605420 +0100 ++++ libapache2-mod-fcgid-2.3.6/modules/fcgid/fcgid_spawn_ctl.c 2011-08-19 17:19:31.859603703 +0100 +@@ -173,7 +173,7 @@ + if (current_node->inode == command->inode + && current_node->deviceid == command->deviceid + && !strcmp(current_node->cmdline, command->cmdline) +- && current_node->vhost_id == sconf->vhost_id ++ && current_node->vhost_id == command->vhost_id + && current_node->uid == command->uid + && current_node->gid == command->gid) + break;
pgpNGO89jVFQC.pgp
Description: PGP signature
