1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1092774: libfcgi: CVE-2025-23016

    From Salvatore Bonaccorso@21:1/5 to Chris Hofstaedtler on Sun Apr 13 20:30:01 2025
    Hi Chris,

    On Sun, Apr 13, 2025 at 08:06:18PM +0200, Chris Hofstaedtler wrote:
    On Sat, Jan 11, 2025 at 03:00:45PM +0100, Salvatore Bonaccorso wrote:
    Source: libfcgi
    Version: 2.4.2-2.1
    Severity: grave
    Tags: security upstream
    Forwarded: https://github.com/FastCGI-Archives/fcgi2/issues/67

    In the upstream bug there seems to be some disagreement if this is
    actually a problem.

    Has any other distro fixed this yet, in some form?

    Not that I'm aware of yet. The reporter said that they will publish an
    article mid april (so soon?) about how to exploit the vulnerablity.

    I'm not exactly sure were we stand right now, and need to re-read the
    upstream issue, but as long upstream has not landed a potential fix
    then I do not think we need to take an action.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bastian Germann@21:1/5 to All on Mon Apr 14 20:10:02 2025
    Control: tags -1 fixed-upstream

    Please note that Yadd's debdiff is based on a patch that was rejected.
    The final solution was just released with the new upstream version 2.4.5: https://github.com/FastCGI-Archives/fcgi2/commit/b0eabcaf4d4f371514891a52115c746815c2ff15

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)