You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Daniel Kahn Gillmor <dk...@fifthhorseman.net> on 2012/03/15 20:45:49 UTC

CVE requested for mod-fcgid 2.3.6 (possible DoS vulnerability)

Hi Apache folks--

Just a heads-up to let you know that i've requested a CVE for 
mod_fcgid's 2.3.6 (the current release) due to possible DoS based on the 
module not respecting administrator-configured limits:

  http://www.openwall.com/lists/oss-security/2012/03/15/10

The issue is fixed in r1037727, but apparently not yet released.

The issue is also in the bugtracker as:

  https://issues.apache.org/bugzilla/show_bug.cgi?id=49902

Thanks for your work on apache!

Regards,

     --dkg

PS please keep me in the CC if there's more discussion; i've subscribed 
to http-dev to give this heads-up, but can't cope with yet another 
e-mail firehose for the long term. :/