-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.1443
                   libapache2-mod-fcgid security update
                              14 October 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libapache2-mod-fcgid
Publisher:         Debian
Operating System:  Debian GNU/Linux 6
                   Debian GNU/Linux 7
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-4365  

Original Bulletin: 
   http://www.debian.org/security/2013/dsa-2778

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running libapache2-mod-fcgid check for an updated version of the 
         software for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2778-1                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
October 12, 2013                       http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : libapache2-mod-fcgid
Vulnerability  : heap-based buffer overflow
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2013-4365

Robert Matthews discovered that the Apache FCGID module, a FastCGI
implementation for Apache HTTP Server, fails to perform adequate
boundary checks on user-supplied input. This may allow a remote attacker
to cause a heap-based buffer overflow, resulting in a denial of service
or potentially allowing the execution of arbitrary code.

For the oldstable distribution (squeeze), this problem has been fixed in
version 1:2.3.6-1+squeeze2.

For the stable distribution (wheezy), this problem has been fixed in
version 1:2.3.6-1.2+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 1:2.3.9-1.

We recommend that you upgrade your libapache2-mod-fcgid packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCgAGBQJSWHsQAAoJEAVMuPMTQ89ErSUQAJYBriFZIkIOLf1MqWCBrYdO
sg3pLRurqikUwKb+57SSpkAPt8UYWLujUunrb8ONW1K7bOIg4MzW1oJIPYZx95JG
eMSLCd4o3BjyF4rXyqw3y8LM+d19DXB1Blhq8BHsl1SA9PHyqDwq7TXX24Oxpfbe
TI9OEn/qDekvP2XJJ0kT3y6Ny8I44117d+yaMlDWc0Y56DE2rkHM0Px6wa/IPJ10
6NxuXKbNFzg9L+Pmifuji79N5325JITQmaoqfQeFxcgoVyqwzfW/kzWmRpcQDeqW
4M+Z8XuuEoyCt7qK/qf1i2tbO6nclGCZmMWfz9NyGpsbgHUiW8tlm/KcZZKqKWFb
2QJ2oVXNbEZwDP5ah4iywjeNitu/Ccr+dLVRAr+5QrswW3FUX/zH+mW5pPUNcOWA
tt+fnryd0EynVnH25jE5qS5j57iZ8KT+w/cAGUcQWrbrokDjQ5choBcG47XkAhL5
omHJ7pzA9Jol3Dx6gpu+eRJmKTqRBCEclVb3186vCv8gb0hxFmJobWkxCQXxEVN7
GCnD65UHBkJg2j7rDmC/z/1bewMqQYEszqSAY8d2O0gddB881g1ADcThRx7Lk5Er
4i8E413umowNT0oMvqKxhnXVTYVIbqXt94ARCEvHH1P/H8ioRwqz5nRX+87LrlWD
2MJ1Sch8sDPeOeFTwLdM
=FYJO
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUltA5BLndAQH1ShLAQIFYA//fzlGBT+X70W26TTRSuYStkFv4LHfRDx1
+w6b7mpOvilyuVYKkG2rI0K4BOZFBfo8CUIotljUvQ9kgGTosqNmmC3+IA6b5bb5
OwycBj7i93KJJx2DsX2btelyfi61Mh5OoctZr/ZQsa3dZ1ytFLzTLYI1LS4ieS4Z
zxexlW6ArjJWQOZ6ZNL9XJA3DsVH82feGyfU61hcsGXQMzotnZU7OB02rbahT2W+
//QDYtIrYKcOzm8kR7P8cNOaUcMVW1IN9uxxtXF7vjr+tBjPJkh5SKwvLG0x9DaD
ZOplFsGViqN/OAKhmNDnKjztLz2glaMIvn91rxO+p08XCflaigPVLH/PzrOKjxkO
AYxiRmXIsla7sdqaHnrN1M4/XbpBJ80kaT3BZHavD55veb5CtTk9QVUO8qgWvDbt
Fll26q7c+23u++iGiZP4himJNB8JwLqjK1aLlO3V32r0dDuB8KMl7Eg2mWHaVNqt
FD3W/v/P9o3nl4SQ+xytkXLQWF07OMMn7M8L6f7NGcTmJPBryHSKJS5zCzxSvt2J
kqFc4MybMhLX16CqY36TCqa35tsTKSiyx9LeHdnJccAfY7ct/jfznUqZMCkMnL7V
yMA9kN69znLsMw4huK7YpuBaHlwnS5pt7vV8i63M0Yx89WnXSz2RgYI8clMqv9lY
L5pUFk4rIPs=
=DYra
-----END PGP SIGNATURE-----