FCGI does not perform range checks for file descriptors before use of the FD_SET macro. This FD_SET macro could allow for more than 1024 total file descriptors to be monitored in the closing state.
This may allow remote attackers to cause a denial of service (stack memory corruption, and infinite loop or daemon crash) by opening many socket connections to the host and crashing the service.
At this time the fcgi mailing list is down, this seems to be the patch that is chosen:
link to CVE request: http://www.openwall.com/lists/oss-security/2015/02/06/4 (thanks Till for making the request)