Re: libapache2-mod-fcgid in lenny vulnerable to hole for weeks
On Tuesday 21 December 2010, John Goerzen wrote:
> I reported bug #605484 regarding a security hole in lenny. I
> believe the security team was CC'd.
> Prior to my report,
> http://security-tracker.debian.org/tracker/CVE-2010-3872 said that
> Debian/stable was not vulnerable. I also notified them to correct
> this issue.
> My question here is: who's got the ball on security issues? It
> seems that this issue didn't trigger any bugs being created or any
> bugs being filed in Debian when it came out. When I did what I
> thought was appropriate, it also didn't trigger much. The
> maintainer was interested in it, but AFAICT there are, as yet, no
> new packages.
> This is not an attack on any person/team, just a question about
> whether we have an organizational problem we need to correct.
The problem is a combination of several security team members being
inactive because of work/thesis/... and the other members being kept
busy by things which had higher priority. For example fixing the
recent exim remote root vulnerability and sorting out infrastructure
breakage due to the dak upgrade on security-master. The upgrade was
was necessary to support squeeze.
My understanding is that the mod_fcgid issue cannot be triggered by
browsers but only if there is a malicious fcgi app on the server,
which is not a very common setup. Therefore this seemed like a not-so-
high priority issue. I am sorry that nobody found the time to mail
this to you.
FWIW, it seems the infrastructure has been finally fixed today, so I
hope things will improve now. But I do think that there are currently
to few active members in the security team. I am pretty sure we will
send out a request for new volunteers soon.