Daniel Kahn Gillmor dkg reports: Version 2.3.6 of mod-fcgid (the current published version from ASF according to [0]) has a known problem that FcgidMaxProcessesPerClass directives are not honored when they appear inside a VirtualHost stanza. This is presents a risk for a denial of service because it means that a remote attacker can violate the intent of the admin and overwhelm the server running fcgid. Could a CVE be assigned for this vulnerability? If the admin declares that a given virtualhost should be limited to X fastcgi processes (often in order to constrain RAM usage by the vhost), any remote user can issue X+1 (or 10X, or whatever) concurrent GET requests, which defeats the documented limit, and can result in heavy swap or the oom-killer, which can cause a DoS on other services on the host. This bug has been fixed since the release of 2.3.6 in upstream's svn (r1037727 of https://svn.apache.org/repos/asf/httpd/mod_fcgid/trunk) with a narrowly-targeted one-line patch: --- modules/fcgid/fcgid_spawn_ctl.c (revision 1037726) +++ modules/fcgid/fcgid_spawn_ctl.c (revision 1037727) @@ -178,7 +178,7 @@ if (current_node->inode == command->inode && current_node->deviceid == command->deviceid && !strcmp(current_node->cmdline, command->cmdline) - && current_node->vhost_id == sconf->vhost_id + && current_node->vhost_id == command->vhost_id && current_node->uid == command->uid && current_node->gid == command->gid) break; But this patch hasn't made it to any released version. Debian has plans to release a Debian Security Advisory for the issue and will resolve it with the above patch. This problem is also documented at: https://issues.apache.org/bugzilla/show_bug.cgi?id=49902 http://bugs.debian.org/615814 Regards, --dkg [0] https://httpd.apache.org/mod_fcgid/
Created mod_fcgid tracking bugs for this issue Affects: fedora-all [bug 803919]
Created mod_fcgid tracking bugs for this issue Affects: epel-all [bug 803921]
This issue was previously reported and fixed in Fedora and EPEL: Bug #783742
(In reply to comment #3) > This issue was previously reported and fixed in Fedora and EPEL: Bug #783742 If they are fixed, it's ok to close:dupe bug 803919 and 803921 against that bug. There's no mention of EPEL-5 fix in bug 783742. Does that remain affected?
EPEL-5 has mod_fcgid version 2.2. My understanding is that this bug is a regression introduced in 2.3.6 and so EPEL-5 should not be affected.
If you look at the upstream bug report (https://issues.apache.org/bugzilla/show_bug.cgi?id=49902) you'll see that the original reporter noted that 2.2 did not suffer from this problem, so I can safely say that EPEL-5 is not affected.
Ok, thank you!