[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: libapache2-mod-fcgid in lenny vulnerable to hole for weeks

On Tuesday 21 December 2010, John Goerzen wrote:
> I reported bug #605484 regarding a security hole in lenny.  I
> believe the security team was CC'd.
> Prior to my report,
> http://security-tracker.debian.org/tracker/CVE-2010-3872 said that
> Debian/stable was not vulnerable.  I also notified them to correct
> this issue.
> My question here is: who's got the ball on security issues?  It
> seems that this issue didn't trigger any bugs being created or any
> bugs being filed in Debian when it came out.  When I did what I
> thought was appropriate, it also didn't trigger much.  The
> maintainer was interested in it, but AFAICT there are, as yet, no
> new packages.
> This is not an attack on any person/team, just a question about
> whether we have an organizational problem we need to correct.

The problem is a combination of several security team members being 
inactive because of work/thesis/... and the other members being kept 
busy by things which had higher priority. For example fixing the 
recent exim remote root vulnerability and sorting out infrastructure 
breakage due to the dak upgrade on security-master. The upgrade was 
was necessary to support squeeze.

My understanding is that the mod_fcgid issue cannot be triggered by 
browsers but only if there is a malicious fcgi app on the server, 
which is not a very common setup. Therefore this seemed like a not-so-
high priority issue. I am sorry that nobody found the time to mail 
this to you.

FWIW, it seems the infrastructure has been finally fixed today, so I 
hope things will improve now. But I do think that there are currently 
to few active members in the security team. I am pretty sure we will 
send out a request for new volunteers soon.


Reply to: