Debian Bug report logs - #615814
libapache2-mod-fcgid: FcgidMaxProcessesPerClass ignored in VirtualHost

version graph

Package: libapache2-mod-fcgid; Maintainer for libapache2-mod-fcgid is Felix Geyer <fgeyer@debian.org>; Source for libapache2-mod-fcgid is src:libapache2-mod-fcgid.

Reported by: jamie <jm@mayfirst.org>

Date: Mon, 28 Feb 2011 04:21:01 UTC

Severity: normal

Tags: patch, security

Found in version 2.3.6-1

Fixed in versions libapache2-mod-fcgid/1:2.3.6-1.1, libapache2-mod-fcgid/1:2.3.6-1+squeeze1

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://issues.apache.org/bugzilla/show_bug.cgi?id=49902

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Tatsuki Sugiura <sugi@nemui.org>:
Bug#615814; Package libapache2-mod-fcgid. (Mon, 28 Feb 2011 04:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to jamie <jm@mayfirst.org>:
New Bug report received and forwarded. Copy sent to Tatsuki Sugiura <sugi@nemui.org>. (Mon, 28 Feb 2011 04:21:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: jamie <jm@mayfirst.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libapache2-mod-fcgid: FcgidMaxProcessesPerClass ignored in VirtualHost
Date: Sun, 27 Feb 2011 23:09:35 -0500
Package: libapache2-mod-fcgid
Version: 2.3.6-1
Severity: normal


When configured in /etc/apache2/mods-enabled/fcgid.conf, FcgidMaxProcessesPerClass works as expected, provided it is not also defined in any VirtualHost blocks.

If it is *also* defined in a VirtualHost block, then both the limit
defined in the VirtualHost block and the limit defined in
/etc/apache2/mods-enabled/fcgid.conf are ignored (for the VirtualHost in
which it is defined - for other VirtualHosts, the value in fcgid.conf is
respected).

If it is defined only in a VirtualHost block, it is ignored.

I expect that if it is defined in both places, the definition in the
VirtualHost block would take precedence.




Information forwarded to debian-bugs-dist@lists.debian.org, Tatsuki Sugiura <sugi@nemui.org>:
Bug#615814; Package libapache2-mod-fcgid. (Mon, 28 Feb 2011 14:42:13 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jamie McClelland <jm@mayfirst.org>:
Extra info received and forwarded to list. Copy sent to Tatsuki Sugiura <sugi@nemui.org>. (Mon, 28 Feb 2011 14:42:13 GMT) Full text and rfc822 format available.

Message #10 received at 615814@bugs.debian.org (full text, mbox):

From: Jamie McClelland <jm@mayfirst.org>
To: 615814@bugs.debian.org
Subject: methods for testing
Date: Mon, 28 Feb 2011 09:35:54 -0500
[Message part 1 (text/plain, inline)]
To provide further clarification, I came to these conculsions using the
following method:

 * On the test web server, I ran top, filtered by the user running php

 * I created a simple php test file in the test server's web directory with:

 <?php
 sleep(5);
 ?>

 * I used Apache's benchmark tool with the following arguments:

   ab -c 5 -n 5 http://test-server/test.php

   I observed that 5 processes appeared in top.

 * I set the FcgidMaxProcessesPerClass directive to 3, first in
   /etc/apache2/fcgid.conf, and then in
   /etc/apache2/sites-enabled/00-default, and then in both place. After
   each change, I reloaded apache (all processes in top were
   terminated), and then I re-ran the benchmark command and observed the
   number of processes that appeared in top. When the number of
   processes was 3, I concluded it was working as expected. When the
   number was 5, I concluded that it wasn't working properly.


[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Tatsuki Sugiura <sugi@nemui.org>:
Bug#615814; Package libapache2-mod-fcgid. (Fri, 19 Aug 2011 17:21:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Miguel Cabeça <cabeca@ist.utl.pt>:
Extra info received and forwarded to list. Copy sent to Tatsuki Sugiura <sugi@nemui.org>. (Fri, 19 Aug 2011 17:21:06 GMT) Full text and rfc822 format available.

Message #15 received at 615814@bugs.debian.org (full text, mbox):

From: Miguel Cabeça <cabeca@ist.utl.pt>
To: 615814@bugs.debian.org
Subject: libapache2-mod-fcgid: FcgidMaxProcessesPerClass ignored
Date: Fri, 19 Aug 2011 18:11:41 +0100
[Message part 1 (text/plain, inline)]
Severity: important
Tags: patch

Hi,

I had this problem today, and I believe I found a bug. Our multi-user server setup is using suexec + mod_fcgid and several virtual hosts.
When debugging this issue, I came to the conclusion that sconf->vhost_id was always equal to 1 while current_node->vhost_id would be different from 1, depending on the virtual host used. I believe one should use command->vhost_id (as the other checks in the same if sentence) for correct grouping of processes.

Due to this bug, the check for FcgidMaxProcessesPerClass setting later in the code would never be reached in the case of vhost_id != 1.

I'm setting the severity of this bug to important because this let's a user go above the defined max processes per class in a multi-user server, possibly causing a  denial-of-service to other users.

Best Regards.
Miguel Cabeça

[20_honor_FcgidMaxProcessesPerClass_setting.dpatch (application/octet-stream, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Tatsuki Sugiura <sugi@nemui.org>:
Bug#615814; Package libapache2-mod-fcgid. (Sat, 26 Nov 2011 17:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jamie McClelland <jm@mayfirst.org>:
Extra info received and forwarded to list. Copy sent to Tatsuki Sugiura <sugi@nemui.org>. (Sat, 26 Nov 2011 17:15:03 GMT) Full text and rfc822 format available.

Message #20 received at 615814@bugs.debian.org (full text, mbox):

From: Jamie McClelland <jm@mayfirst.org>
To: 615814@bugs.debian.org
Subject: 20_honor_FcgidMaxProcessesPerClass_setting.dpatch solved my problem
Date: Sat, 26 Nov 2011 12:05:32 -0500
[Message part 1 (text/plain, inline)]
Thank you Miguel!

This problem has been plaguing us for quite some time.

I just applied your patch and it works.

In my original bug report, I said that FcgidMaxProcessesPerClass works
if it's placed in /etc/apache2/mods-enabled/fcgid.conf but fails if it
also is placed in a VirtualHost directive.

This was incorrect. 

Prior to applying the patch, it seems as though
FcgidMaxProcessesPerClass was ignored no matter where it was placed.

After applying the patch it works both in
/etc/apache2/mods-enabled/fcgid.conf and in a VrtualHost Directive and
when placed in both (with the VirtualHost Directive taking precedence as
expected).

I'd also like to re-iterate the severity of this bug - in a shared
environment controlling the processes that can be launched by a single
virtualhost is critically important to the security of the machine.


[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Tatsuki Sugiura <sugi@nemui.org>:
Bug#615814; Package libapache2-mod-fcgid. (Wed, 07 Mar 2012 22:27:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Tatsuki Sugiura <sugi@nemui.org>. (Wed, 07 Mar 2012 22:27:06 GMT) Full text and rfc822 format available.

Message #25 received at 615814@bugs.debian.org (full text, mbox):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: 615814@bugs.debian.org, 615814-submitter@bugs.debian.org, control@bugs.debian.org, Miguel Cabeça <cabeca@ist.utl.pt>, security@debian.org
Subject: NMUing libapache2-mod-fcgid (DELAYED/5): #615814 fixed in upstream svn, has security implications
Date: Wed, 07 Mar 2012 17:26:02 -0500
[Message part 1 (text/plain, inline)]
tags 615814 + security patch
thanks

#615814 appears to be an opportunity for a denial of service attack,
since explicitly declared process limits are not respected.

Despite not having yet released 2.3.7, upstream is clearly aware of the
bug in 2.3.6, since they committed a fix for it back in November of
2010 (the same fix provided by Miguel Cabeça):

0 dkg@pip:~$ svn diff -r1037726:1037727 https://svn.apache.org/repos/asf/httpd/mod_fcgid/trunk
Index: CHANGES-FCGID
===================================================================
--- CHANGES-FCGID	(revision 1037726)
+++ CHANGES-FCGID	(revision 1037727)
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with mod_fcgid 2.3.7
 
+  *) Fix regression in 2.3.6 which broke process controls when using vhost-
+     specific configuration.  [Jeff Trawick]
+
   *) Account for first process in class in the spawn score.  [Jeff Trawick]
 
 Changes with mod_fcgid 2.3.6
Index: modules/fcgid/fcgid_spawn_ctl.c
===================================================================
--- modules/fcgid/fcgid_spawn_ctl.c	(revision 1037726)
+++ modules/fcgid/fcgid_spawn_ctl.c	(revision 1037727)
@@ -178,7 +178,7 @@
         if (current_node->inode == command->inode
             && current_node->deviceid == command->deviceid
             && !strcmp(current_node->cmdline, command->cmdline)
-            && current_node->vhost_id == sconf->vhost_id
+            && current_node->vhost_id == command->vhost_id
             && current_node->uid == command->uid
             && current_node->gid == command->gid)
             break;
0 dkg@pip:~$ svn log -r1037727 https://svn.apache.org/repos/asf/httpd/mod_fcgid/trunk
------------------------------------------------------------------------
r1037727 | trawick | 2010-11-22 09:08:29 -0500 (Mon, 22 Nov 2010) | 7 lines

Fix regression in 2.3.6 which broke process controls when using vhost-
specific configuration.

vhost_id was referenced from the wrong structure, and never matched
unless there were no vhost-specific directives in the vhost of the
request.

------------------------------------------------------------------------
0 dkg@pip:~$ 

I've prepared an NMU for unstable and i'm uploading it to DELAYED/5 (see
the attached debdiff).

I'd like to offer the same fix for either the security archive or the
next stable point release, since currently debian stable systems running
mod_fcgid are vulnerable to denial of service attacks by memory
exhaustion where this limit is not respected.

Security folks, would you accept this as a security upload for squeeze,
or should i fall back to the release-team for the next point release?  I
don't think i've ever prepared a DSA before, but i'm prepared to learn
if you think that's reasonable.

         --dkg

[615814.debdiff (text/x-diff, inline)]
diff -u libapache2-mod-fcgid-2.3.6/debian/changelog libapache2-mod-fcgid-2.3.6/debian/changelog
--- libapache2-mod-fcgid-2.3.6/debian/changelog
+++ libapache2-mod-fcgid-2.3.6/debian/changelog
@@ -1,3 +1,11 @@
+libapache2-mod-fcgid (1:2.3.6-1.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * import r1037727 from upstream to fix vhost-specific process controls
+     (Closes: #615814)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 07 Mar 2012 17:00:08 -0500
+
 libapache2-mod-fcgid (1:2.3.6-1) unstable; urgency=low
 
   * New upstream release (Closes: #595276)
diff -u libapache2-mod-fcgid-2.3.6/debian/patches/00list libapache2-mod-fcgid-2.3.6/debian/patches/00list
--- libapache2-mod-fcgid-2.3.6/debian/patches/00list
+++ libapache2-mod-fcgid-2.3.6/debian/patches/00list
@@ -1,0 +2 @@
+20_honor_FcgidMaxProcessesPerClass_setting.dpatch
only in patch2:
unchanged:
--- libapache2-mod-fcgid-2.3.6.orig/debian/patches/20_honor_FcgidMaxProcessesPerClass_setting.dpatch
+++ libapache2-mod-fcgid-2.3.6/debian/patches/20_honor_FcgidMaxProcessesPerClass_setting.dpatch
@@ -0,0 +1,26 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 20_honor_FcgidMaxProcessesPerClass_setting.dpatch by  <cabeca@ist.utl.pt>
+##
+## DP: See r1037727 from https://svn.apache.org/repos/asf/httpd/mod_fcgid/trunk by trawick:
+## DP:
+## DP: Fix regression in 2.3.6 which broke process controls when using vhost-
+## DP: specific configuration.
+## DP: 
+## DP: vhost_id was referenced from the wrong structure, and never matched
+## DP: unless there were no vhost-specific directives in the vhost of the
+## DP: request.
+
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' libapache2-mod-fcgid-2.3.6~/modules/fcgid/fcgid_spawn_ctl.c libapache2-mod-fcgid-2.3.6/modules/fcgid/fcgid_spawn_ctl.c
+--- libapache2-mod-fcgid-2.3.6~/modules/fcgid/fcgid_spawn_ctl.c	2011-08-19 17:13:22.982605420 +0100
++++ libapache2-mod-fcgid-2.3.6/modules/fcgid/fcgid_spawn_ctl.c	2011-08-19 17:19:31.859603703 +0100
+@@ -173,7 +173,7 @@
+         if (current_node->inode == command->inode
+             && current_node->deviceid == command->deviceid
+             && !strcmp(current_node->cmdline, command->cmdline)
+-            && current_node->vhost_id == sconf->vhost_id
++            && current_node->vhost_id == command->vhost_id
+             && current_node->uid == command->uid
+             && current_node->gid == command->gid)
+             break;
[Message part 3 (application/pgp-signature, inline)]

Added tag(s) security and patch. Request was from Daniel Kahn Gillmor <dkg@fifthhorseman.net> to control@bugs.debian.org. (Wed, 07 Mar 2012 22:27:10 GMT) Full text and rfc822 format available.

Message sent on to jamie <jm@mayfirst.org>:
Bug#615814. (Wed, 07 Mar 2012 22:27:12 GMT) Full text and rfc822 format available.

Reply sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
You have taken responsibility. (Mon, 12 Mar 2012 22:51:15 GMT) Full text and rfc822 format available.

Notification sent to jamie <jm@mayfirst.org>:
Bug acknowledged by developer. (Mon, 12 Mar 2012 22:51:15 GMT) Full text and rfc822 format available.

Message #35 received at 615814-close@bugs.debian.org (full text, mbox):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: 615814-close@bugs.debian.org
Subject: Bug#615814: fixed in libapache2-mod-fcgid 1:2.3.6-1.1
Date: Mon, 12 Mar 2012 22:48:51 +0000
Source: libapache2-mod-fcgid
Source-Version: 1:2.3.6-1.1

We believe that the bug you reported is fixed in the latest version of
libapache2-mod-fcgid, which is due to be installed in the Debian FTP archive:

libapache2-mod-fcgid-dbg_2.3.6-1.1_i386.deb
  to main/liba/libapache2-mod-fcgid/libapache2-mod-fcgid-dbg_2.3.6-1.1_i386.deb
libapache2-mod-fcgid_2.3.6-1.1.diff.gz
  to main/liba/libapache2-mod-fcgid/libapache2-mod-fcgid_2.3.6-1.1.diff.gz
libapache2-mod-fcgid_2.3.6-1.1.dsc
  to main/liba/libapache2-mod-fcgid/libapache2-mod-fcgid_2.3.6-1.1.dsc
libapache2-mod-fcgid_2.3.6-1.1_i386.deb
  to main/liba/libapache2-mod-fcgid/libapache2-mod-fcgid_2.3.6-1.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 615814@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <dkg@fifthhorseman.net> (supplier of updated libapache2-mod-fcgid package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 07 Mar 2012 17:00:08 -0500
Source: libapache2-mod-fcgid
Binary: libapache2-mod-fcgid libapache2-mod-fcgid-dbg
Architecture: source i386
Version: 1:2.3.6-1.1
Distribution: unstable
Urgency: low
Maintainer: Tatsuki Sugiura <sugi@nemui.org>
Changed-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Description: 
 libapache2-mod-fcgid - an alternative module compat with mod_fastcgi
 libapache2-mod-fcgid-dbg - debugging symbols for mod_fcgid
Closes: 615814
Changes: 
 libapache2-mod-fcgid (1:2.3.6-1.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * import r1037727 from upstream to fix vhost-specific process controls
      (Closes: #615814)
Checksums-Sha1: 
 3ebbd0553460ff96583b91dd56c65ae1b3143fa0 2123 libapache2-mod-fcgid_2.3.6-1.1.dsc
 c2182ce40212ee2a73fc1b8112933fd689d49576 5111 libapache2-mod-fcgid_2.3.6-1.1.diff.gz
 afa36f2c5ab7f6b4fb3672baa83848afe6a59b65 75696 libapache2-mod-fcgid_2.3.6-1.1_i386.deb
 14493ebfe2b54f36dddc558fc91d60aece1cab51 16604 libapache2-mod-fcgid-dbg_2.3.6-1.1_i386.deb
Checksums-Sha256: 
 dd1b017f215973cd4e7799fa58890fc1927637fdc57d14c7988d9cef4d9f1131 2123 libapache2-mod-fcgid_2.3.6-1.1.dsc
 49713b359912dfc3ecf1f66b32a1217996fa6039b9f7e3d4136b9ac84ca1e1f0 5111 libapache2-mod-fcgid_2.3.6-1.1.diff.gz
 c6ff71606740c7cca1407a2635646c3dfbc169ed3b7576132f5caa73aacd14b8 75696 libapache2-mod-fcgid_2.3.6-1.1_i386.deb
 f50dfd08d7ba296d5f287487639393ef0ef927d775d2cf0267b8a195c41a5478 16604 libapache2-mod-fcgid-dbg_2.3.6-1.1_i386.deb
Files: 
 82ea7fd3e5279d73ad14e24b8fde5e4c 2123 httpd optional libapache2-mod-fcgid_2.3.6-1.1.dsc
 418c09b403880c1543844714f94352b5 5111 httpd optional libapache2-mod-fcgid_2.3.6-1.1.diff.gz
 e5bc028e6b4dc7f5feeb170af053a531 75696 httpd optional libapache2-mod-fcgid_2.3.6-1.1_i386.deb
 f168f456efc053aacf179152870e04cd 16604 debug extra libapache2-mod-fcgid-dbg_2.3.6-1.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJPV969XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwRUU1QkU5NzkyODJEODBCOUY3NTQwRjFD
Q0QyRUQ5NEQyMTczOUU5AAoJEMzS7ZTSFznpn9wQAJwdpszG9/BSZhUSm/VxUpBY
DCQZG4WXsDfPUXqCF1kGi9+QYma2kj0EFUkTmVOO0LZq8nXgxbPzfJiqaETnVwOp
UkgAowU3dY6ov8kshbLLhqX/SK/8njdI/dzpvlfgXJEgfBFN+BF9FVcELnk1W093
fC1fLht8jD6KsCMpU/PuwEyYZ+oFI8Y926SqzNoEaTkVNHBG/Txg9z7+GmV8dNq6
zKgb1In+Z1GBIKr4JH6O2r3fRM+j72BtFCFDWQ3R4zTDX8tNTcXxT6de3tJFK0x+
ijqVWoQbjdoRzVi5mkDBznDiPbP1/aCWFjF1qMUloXXewvKXEziI86og6Y47LctC
XolfBP6uhSHGf6GsaTXM47Y5yuetmfXoxOwh/OGomavRj3VmEBJESl51dyoeN0np
44ZGMkdE1PweaZstA5u8u3ZnkY6eVAVtN18FNmbn0Afd5SjlBM0zqzTwimEqbppI
QEsgouKHr5629m1LqOLyyjAoFKat53SU9qehe2TBla1rDv3+vQZ97xxjEobtBPGU
X45eAaW1xICH5CLIh3gqJxc7tqNHxHpSR28rL7FE+XZIMr/eIm7c+pAfd1RrfJzs
eMT9J7YZIBUkC8Ww8rO9nvoTx1hJ7EhTkpuUAx0ztCjecbDK2oQ3cfH0u0ruZD06
0eHZmXQIcNu9TnjuAKGh
=TLRe
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Tatsuki Sugiura <sugi@nemui.org>:
Bug#615814; Package libapache2-mod-fcgid. (Fri, 16 Mar 2012 01:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Tatsuki Sugiura <sugi@nemui.org>. (Fri, 16 Mar 2012 01:00:03 GMT) Full text and rfc822 format available.

Message #40 received at 615814@bugs.debian.org (full text, mbox):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Thijs Kinkhorst <thijs@debian.org>
Cc: security@debian.org, 615814@bugs.debian.org
Subject: Re: NMUing libapache2-mod-fcgid (DELAYED/5): #615814 fixed in upstream svn, has security implications
Date: Thu, 15 Mar 2012 20:57:33 -0400
[Message part 1 (text/plain, inline)]
On Thu, 15 Mar 2012 16:20:40 -0400, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> I've reported the issue to oss-security and requested a CVE:
> 
>    http://www.openwall.com/lists/oss-security/2012/03/15/10

This has now been assigned CVE-2012-1181.

     --dkg
[Message part 2 (application/pgp-signature, inline)]

Set Bug forwarded-to-address to 'https://issues.apache.org/bugzilla/show_bug.cgi?id=49902'. Request was from Daniel Kahn Gillmor <dkg@fifthhorseman.net> to control@bugs.debian.org. (Fri, 16 Mar 2012 04:15:08 GMT) Full text and rfc822 format available.

Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Mon, 19 Mar 2012 20:51:11 GMT) Full text and rfc822 format available.

Notification sent to jamie <jm@mayfirst.org>:
Bug acknowledged by developer. (Mon, 19 Mar 2012 20:51:11 GMT) Full text and rfc822 format available.

Message #47 received at 615814-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 615814-close@bugs.debian.org
Subject: Bug#615814: fixed in libapache2-mod-fcgid 1:2.3.6-1+squeeze1
Date: Mon, 19 Mar 2012 20:47:10 +0000
Source: libapache2-mod-fcgid
Source-Version: 1:2.3.6-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
libapache2-mod-fcgid, which is due to be installed in the Debian FTP archive:

libapache2-mod-fcgid-dbg_2.3.6-1+squeeze1_amd64.deb
  to main/liba/libapache2-mod-fcgid/libapache2-mod-fcgid-dbg_2.3.6-1+squeeze1_amd64.deb
libapache2-mod-fcgid_2.3.6-1+squeeze1.diff.gz
  to main/liba/libapache2-mod-fcgid/libapache2-mod-fcgid_2.3.6-1+squeeze1.diff.gz
libapache2-mod-fcgid_2.3.6-1+squeeze1.dsc
  to main/liba/libapache2-mod-fcgid/libapache2-mod-fcgid_2.3.6-1+squeeze1.dsc
libapache2-mod-fcgid_2.3.6-1+squeeze1_amd64.deb
  to main/liba/libapache2-mod-fcgid/libapache2-mod-fcgid_2.3.6-1+squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 615814@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated libapache2-mod-fcgid package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 19 Mar 2012 11:39:32 +0100
Source: libapache2-mod-fcgid
Binary: libapache2-mod-fcgid libapache2-mod-fcgid-dbg
Architecture: source amd64
Version: 1:2.3.6-1+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Tatsuki Sugiura <sugi@nemui.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 libapache2-mod-fcgid - an alternative module compat with mod_fastcgi
 libapache2-mod-fcgid-dbg - debugging symbols for mod_fcgid
Closes: 615814
Changes: 
 libapache2-mod-fcgid (1:2.3.6-1+squeeze1) stable-security; urgency=high
 .
   * Non-maintainer upload.
   * import r1037727 from upstream to fix vhost-specific process controls
     (Closes: #615814, CVE-2012-1181)
Checksums-Sha1: 
 37c7311c6579f33be665e15b6c16f76ef0f8d002 1575 libapache2-mod-fcgid_2.3.6-1+squeeze1.dsc
 018245896f331909e896685ab3ca86b163846e4d 101883 libapache2-mod-fcgid_2.3.6.orig.tar.gz
 032b182467c915e83dc354d8fdf6b39ebc0f7e29 5231 libapache2-mod-fcgid_2.3.6-1+squeeze1.diff.gz
 26394883f95588039a2e7eebd00f96732e34353b 73198 libapache2-mod-fcgid_2.3.6-1+squeeze1_amd64.deb
 b275bbce7ff5e3707e56a9e1749f068aee27de12 13844 libapache2-mod-fcgid-dbg_2.3.6-1+squeeze1_amd64.deb
Checksums-Sha256: 
 3966d119be675dfe247e72b1b2cb884538ef1743bc5004307d8003cb66f8f014 1575 libapache2-mod-fcgid_2.3.6-1+squeeze1.dsc
 e831795498d91cf27a519ea1332c2a92a2a9920b0844d817b2ea7f079056d12b 101883 libapache2-mod-fcgid_2.3.6.orig.tar.gz
 3594320091297b44aa68b7b766c113c1fba079f6d7c50f90b0602d480cbc4a4e 5231 libapache2-mod-fcgid_2.3.6-1+squeeze1.diff.gz
 ea72dfd6e80458560609b1f8300a4f48e4d33356718c5d5aa0ca21e10fb4156d 73198 libapache2-mod-fcgid_2.3.6-1+squeeze1_amd64.deb
 a5318db7e2e61e2dcf371455508b0286f851bb0962ff12f172667714421d2578 13844 libapache2-mod-fcgid-dbg_2.3.6-1+squeeze1_amd64.deb
Files: 
 b56ccda8eb465c62cd7a76ecc82dcd53 1575 httpd optional libapache2-mod-fcgid_2.3.6-1+squeeze1.dsc
 fbfc115eb47cd9bda91269743aba5e83 101883 httpd optional libapache2-mod-fcgid_2.3.6.orig.tar.gz
 da728a9e941eeee92e6c593f74f725e1 5231 httpd optional libapache2-mod-fcgid_2.3.6-1+squeeze1.diff.gz
 d3a8631cd7256901afdcd992e83fded4 73198 httpd optional libapache2-mod-fcgid_2.3.6-1+squeeze1_amd64.deb
 d7085533b2234e993f4c4265fb190b7b 13844 debug extra libapache2-mod-fcgid-dbg_2.3.6-1+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJPZw4jAAoJEOxfUAG2iX57vnsIAM8C6e7PvLwQLBrSvaAw/Twl
V3tJ3D6h6t1H2itc5SHdnsc3wQ2SjDK39SqxDu9+nXwRIf6ksRO21jdExGs1TQuE
bd0BqXoWnxbnDI1ADpjlvTjk9HFuk5nrzhJPExMcH/g8327fvzXMul06/AMFP2bS
omYqQpTKuYX54gG57J1FGfsSbwBwTpBhD+nzQsp6LYOfBV7OpwT954Hg5kMwXsbr
6PURz8Bbr7i6ilo2u/TtBGqQHosQdk0YpfpM6NBvfu/ooho53VVP4vN52jmzlkmu
Ov8YwrkfLhsQdpZ3/KeFWH+TSp93K9v0WngufMC2p6hISgSQLB5go6PqNv20xkU=
=hglW
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 17 Apr 2012 07:31:13 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 14:26:08 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.