You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by tr...@apache.org on 2013/10/08 13:15:59 UTC
svn commit: r3223 - /release/httpd/mod_fcgid/Announcement-Fcgid.txt
Author: trawick
Date: Tue Oct 8 11:15:56 2013
New Revision: 3223
Log:
Prepare announcement of mod_fcgid 2.3.9
Modified:
release/httpd/mod_fcgid/Announcement-Fcgid.txt
Modified: release/httpd/mod_fcgid/Announcement-Fcgid.txt
==============================================================================
--- release/httpd/mod_fcgid/Announcement-Fcgid.txt (original)
+++ release/httpd/mod_fcgid/Announcement-Fcgid.txt Tue Oct 8 11:15:56 2013
@@ -1,9 +1,11 @@
- mod_fcgid 2.3.7 Released
+ mod_fcgid 2.3.9 Released
The Apache Software Foundation and the Apache HTTP Server Project are
- pleased to announce the release of version 2.3.7 of mod_fcgid, a
+ pleased to announce the release of version 2.3.9 of mod_fcgid, a
FastCGI implementation for Apache HTTP Server versions 2.0, 2.2, and
- 2.4. This version of mod_fcgid is a bug fix release.
+ 2.4. This version of mod_fcgid is a security release, resolving a
+ defect that could result in a denial of service with some applications.
+ Other fixes and improvements are also included in this release.
mod_fcgid is available for download from:
@@ -11,24 +13,26 @@
A full list of changes in this release follows:
- *) Introduce FcgidWin32PreventOrphans directive on Windows to use OS
- Job Control Objects to terminate all running fcgi's when the worker
- process has been abruptly terminated. PR: 51078
- [Thangaraj AntonyCrouse <thangaraj gmail.com>]
-
- *) Periodically clean out the brigades which are pulling in the request
- body for handoff to the fcgid child. PR: 51749
- [Dominic Benson <dominic.benson thirdlight.com>]
-
- *) Resolve crash during graceful restarts. PR 50309
- [Mario Brandt <JBlond gmail.com>]
-
- *) Solve latency/cogestion of resolving effective user file access rights
- when no such info is desired, for config related filename stats.
- PR: 51020 [Thangaraj AntonyCrouse <thangaraj gmail.com>, William Rowe]
+ *) SECURITY: CVE-2013-4365 (cve.mitre.org)
+ Fix possible heap buffer overwrite. Reported and solved by:
+ [Robert Matthews <rob tigertech.com>]
- *) Fix regression in 2.3.6 which broke process controls when using vhost-
- specific configuration. [Jeff Trawick]
+ *) Add experimental cmake-based build system for Windows. [Jeff Trawick]
- *) Account for first process in class in the spawn score. [Jeff Trawick]
+ *) Correctly parse quotation and escaped spaces in FcgidWrapper and the
+ AAA Authenticator/Authorizor/Access directives' command line argument,
+ as currently documented. PR 51194 [William Rowe]
+ *) Honor quoted FcgidCmdOptions arguments (notably for InitialEnv
+ assignments). PR 51657 [William Rowe]
+
+ *) Conform script response parsing with mod_cgid and ensure no response
+ body is sent when ap_meets_conditions() determines that request
+ conditions are met. [Chris Darroch]
+
+ *) Improve logging in access control hook functions. [Chris Darroch]
+
+ *) Avoid making internal sub-requests and processing Location headers
+ when in FCGI_AUTHORIZER mode, as the auth hook functions already
+ treat Location headers returned by scripts as an error since
+ redirections are not meaningful in this mode. [Chris Darroch]