-=| Florian Schlichting, 17.10.2016 15:31:55 +0200 |=- > I closed #815840 with the upload that fixed CVE-2012-6687, but > Tianon > rightly suggests that the best solution would be to use libfcgi-dev and > ignore the bundled version of libfcgi. > > This doesn't seem to be so simple, though; he is running into undefined > symbols, and I noticed that the RCS version header for os_unix.c is > _newer_ in libfcgi-perl than what's in libfcgi-dev. Plus libfgi upstream > seems dead as in "after many quiet years, the mailing list address > boundes"...
libfcgi-perl seems to be pretty heavily used (popcon 121595; 4129 vote; 11826 recent), so removing it (as was my first reaction after reading this bug report) does not seem feasible. However, I managed to make it compile with the system-wide libfcgi after removing the two routines that are not present in Debian's libfcgi API: Attach and Detach. Their description is: =item $req->Detach() Temporarily detaches filehandles on an accepted connection. =item $req->Attach() Re-attaches filehandles on an accepted connection. What do others think, is this, together with documenting the removal in a Debian.NEWS entry, a feasible approach?