CVE-2010-3872

NameCVE-2010-3872
DescriptionThe fcgid_header_bucket_read function in fcgid_bucket.c in the mod_fcgid module before 2.3.6 for the Apache HTTP Server does not use bytewise pointer arithmetic in certain circumstances, which has unspecified impact and attack vectors related to "untrusted FastCGI applications" and a "stack buffer overwrite."
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-2140-1
NVD severityhigh (attack range: local)
Debian Bugs605484

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libapache2-mod-fcgid (PTS)wheezy, wheezy (security)1:2.3.6-1.2+deb7u1fixed
buster, sid, jessie, stretch1:2.3.9-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libapache2-mod-fcgidsource(unstable)1:2.3.6-1high605484
libapache2-mod-fcgidsourcelenny1:2.2-1+lenny1highDSA-2140-1

Search for package or bug name: Reporting problems