Date: Thu, 15 Mar 2012 18:40:27 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Daniel Kahn Gillmor <dkg@...thhorseman.net> Subject: Re: CVE-request: apache's mod-fcgid does not respect configured FcgidMaxProcessesPerClass in VirtualHost On 03/15/2012 12:39 PM, Daniel Kahn Gillmor wrote: > Version 2.3.6 of mod-fcgid (the current published version from ASF > according to ) has a known problem that FcgidMaxProcessesPerClass > directives are not honored when they appear inside a VirtualHost stanza. > > This is presents a risk for a denial of service because it means that > a remote attacker can violate the intent of the admin and overwhelm > the server running fcgid. > > Could a CVE be assigned for this vulnerability? > > If the admin declares that a given virtualhost should be limited to X > fastcgi processes (often in order to constrain RAM usage by the > vhost), any remote user can issue X+1 (or 10X, or whatever) concurrent > GET requests, which defeats the documented limit, and can result in > heavy swap or the oom-killer, which can cause a DoS on other services > on the host. > > This bug has been fixed since the release of 2.3.6 in upstream's svn > (r1037727 of https://svn.apache.org/repos/asf/httpd/mod_fcgid/trunk) > with a narrowly-targeted one-line patch: > > --- modules/fcgid/fcgid_spawn_ctl.c (revision 1037726) > +++ modules/fcgid/fcgid_spawn_ctl.c (revision 1037727) > @@ -178,7 +178,7 @@ > if (current_node->inode == command->inode > && current_node->deviceid == command->deviceid > && !strcmp(current_node->cmdline, command->cmdline) > - && current_node->vhost_id == sconf->vhost_id > + && current_node->vhost_id == command->vhost_id > && current_node->uid == command->uid > && current_node->gid == command->gid) > break; > > But this patch hasn't made it to any released version. > > Debian has plans to release a Debian Security Advisory for the issue > and will resolve it with the above patch. > > This problem is also documented at: > > https://issues.apache.org/bugzilla/show_bug.cgi?id=49902 > http://bugs.debian.org/615814 > > Regards, > > --dkg > >  https://httpd.apache.org/mod_fcgid/ Please use CVE-2012-1181 for this issue. -- -- Kurt Seifried / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ