You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by tr...@apache.org on 2013/10/08 13:15:59 UTC

svn commit: r3223 - /release/httpd/mod_fcgid/Announcement-Fcgid.txt

Author: trawick
Date: Tue Oct  8 11:15:56 2013
New Revision: 3223

Log:
Prepare announcement of mod_fcgid 2.3.9

Modified:
    release/httpd/mod_fcgid/Announcement-Fcgid.txt

Modified: release/httpd/mod_fcgid/Announcement-Fcgid.txt
==============================================================================
--- release/httpd/mod_fcgid/Announcement-Fcgid.txt (original)
+++ release/httpd/mod_fcgid/Announcement-Fcgid.txt Tue Oct  8 11:15:56 2013
@@ -1,9 +1,11 @@
-         mod_fcgid 2.3.7 Released
+         mod_fcgid 2.3.9 Released
 
   The Apache Software Foundation and the Apache HTTP Server Project are
-  pleased to announce the release of version 2.3.7 of mod_fcgid, a
+  pleased to announce the release of version 2.3.9 of mod_fcgid, a
   FastCGI implementation for Apache HTTP Server versions 2.0, 2.2, and 
-  2.4.  This version of mod_fcgid is a bug fix release.
+  2.4.  This version of mod_fcgid is a security release, resolving a
+  defect that could result in a denial of service with some applications.
+  Other fixes and improvements are also included in this release.
 
   mod_fcgid is available for download from:
 
@@ -11,24 +13,26 @@
 
   A full list of changes in this release follows:
 
-  *) Introduce FcgidWin32PreventOrphans directive on Windows to use OS
-     Job Control Objects to terminate all running fcgi's when the worker
-     process has been abruptly terminated. PR: 51078
-     [Thangaraj AntonyCrouse <thangaraj gmail.com>]
-
-  *) Periodically clean out the brigades which are pulling in the request 
-     body for handoff to the fcgid child. PR: 51749
-     [Dominic Benson <dominic.benson thirdlight.com>]
-
-  *) Resolve crash during graceful restarts. PR 50309
-     [Mario Brandt <JBlond gmail.com>]
-
-  *) Solve latency/cogestion of resolving effective user file access rights
-     when no such info is desired, for config related filename stats. 
-     PR: 51020 [Thangaraj AntonyCrouse <thangaraj gmail.com>, William Rowe]
+  *) SECURITY: CVE-2013-4365 (cve.mitre.org)
+     Fix possible heap buffer overwrite.  Reported and solved by:
+     [Robert Matthews <rob tigertech.com>]
 
-  *) Fix regression in 2.3.6 which broke process controls when using vhost-
-     specific configuration.  [Jeff Trawick]
+  *) Add experimental cmake-based build system for Windows.  [Jeff Trawick]
 
-  *) Account for first process in class in the spawn score.  [Jeff Trawick]
+  *) Correctly parse quotation and escaped spaces in FcgidWrapper and the
+     AAA Authenticator/Authorizor/Access directives' command line argument,
+     as currently documented.  PR 51194  [William Rowe]
 
+  *) Honor quoted FcgidCmdOptions arguments (notably for InitialEnv
+     assignments).  PR 51657  [William Rowe]
+
+  *) Conform script response parsing with mod_cgid and ensure no response
+     body is sent when ap_meets_conditions() determines that request
+     conditions are met.  [Chris Darroch]
+
+  *) Improve logging in access control hook functions.  [Chris Darroch]
+
+  *) Avoid making internal sub-requests and processing Location headers
+     when in FCGI_AUTHORIZER mode, as the auth hook functions already
+     treat Location headers returned by scripts as an error since
+     redirections are not meaningful in this mode.  [Chris Darroch]