Executive Summary

Summary
Title libapache2-mod-fcgid security update
Informations
Name DSA-2436 First vendor Publication 2012-03-19
Vendor Debian Last vendor Modification 2012-03-19
Severity (Vendor) N/A Revision 1

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Cvss Base Score 5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

It was discovered that the Apache FCGID module, a FastCGI implementation, did not properly enforce the FcgidMaxProcessesPerClass resource limit, rendering this control ineffective and potentially allowing a virtual host to consume excessive resources.

For the stable distribution (squeeze), this problem has been fixed in version 1:2.3.6-1+squeeze1.

For the testing distribution (wheezy), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in version 1:2.3.6-1.1.

We recommend that you upgrade your libapache2-mod-fcgid packages.

Original Source

Url : http://www.debian.org/security/2012/dsa-2436

CWE : Common Weakness Enumeration

idName
CWE-119Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:15298
 
Oval ID: oval:org.mitre.oval:def:15298
Title: DSA-2436-1 libapache2-mod-fcgid -- inactive resource limits
Description: It was discovered that the Apache FCGID module, a FastCGI implementation, did not properly enforce the FcgidMaxProcessesPerClass resource limit, rendering this control ineffective and potentially allowing a virtual host to consume excessive resources.
Family: unix Class: patch
Reference(s): DSA-2436-1
CVE-2012-1181
Version: 7
Platform(s): Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Product(s): libapache2-mod-fcgid
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application1

OpenVAS Exploits

DateDescription
2012-08-10Name : Gentoo Security Advisory GLSA 201207-09 (mod_fcgid)
File : nvt/glsa_201207_09.nasl
2012-04-30Name : Debian Security Advisory DSA 2436-1 (libapache2-mod-fcgid)
File : nvt/deb_2436_1.nasl

Nessus® Vulnerability Scanner

DateDescription
2012-07-10Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201207-09.nasl - Type : ACT_GATHER_INFO
2012-03-20Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2436.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2014-02-17 11:30:56
  • Multiple Updates