Robert Matthews discovered that the Apache FCGID module, a FastCGI implementation for Apache HTTP Server, fails to perform adequate boundary checks on user-supplied input. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.

For the oldstable distribution (squeeze), this problem has been fixed in version 1:2.3.6-1+squeeze2. For the stable distribution (wheezy), this problem has been fixed in version 1:2.3.6-1.2+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 1:2.3.9-1. We recommend that you upgrade your libapache2-mod-fcgid packages.

mod_fcgid is a high performance alternative to mod_cgi or mod_cgid, which starts a sufficient number instances of the CGI program to handle concurrent requests, and these programs remain running to handle further incoming requests. It is favored by the PHP developers, for example, as a preferred alternative to running mod_php in-process, delivering very similar performance.

libapache2-mod-fcgid on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2013/dsa-2778.html

---

Updated on 2015-03-25