[Rt-devel] [Rt-announce] Vulnerability in FCGI.pm 0.70 - 0.73 (CVE-2011-2766)

Alex Vandiver alexmv at bestpractical.com
Wed Oct 5 12:49:02 EDT 2011

If you are running RT 3 under mod_fastcgi, you may be vulnerable to the
FCGI module's CVE-2011-2766.  The vulnerability affects FCGI versions
0.70 though 0.73, inclusive; you can determine if you are running an
affected version by running:
  perl -MFCGI -le 'print "FCGI version $FCGI::VERSION"'

Version 0.70 of FCGI, released March 22, 2010, introduced a bug in this
interface, wherein the environment of the very first request to the
FastCGI child was copied into all subsequent requests.  Among other
things, this means that the cookies of the first request were seen by
all subsequent requests that did not themselves specify a cookie.

We recommend affected users upgrade their version of FCGI to version
0.74, which was released on September 24, 2011.  In most deployments,
you can accomplish this by running, as root:
   cpan FCGI
You will then need to restart your Apache server.

We intend to release RT 3.8.11rc1 shortly, which will include a
dependency on FCGI 0.74 or higher.  No security changes are required to
RT, this release will just include a bump to the new version of FCGI.

RT 4 does not use the vulnerable API, and as such is not affected by
this vulnerability.  Deployments using mod_fcgid instead of mod_fastcgi
are not vulnerable, nor are deployments where RT is run as an external
FastCGI server.  Deployments using mod_perl or standalone are also
unaffected by this.

 - Alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.bestpractical.com/pipermail/rt-devel/attachments/20111005/fe8226bd/attachment.pgp>
-------------- next part --------------
RT-Announce mailing list
RT-Announce at lists.bestpractical.com

More information about the rt-devel mailing list