The Apache Software Foundation and the Apache HTTP Server Project are
  pleased to announce the release of version 2.3.9 of mod_fcgid, a
  FastCGI implementation for Apache HTTP Server versions 2.0, 2.2, and
  2.4.  This version of mod_fcgid is a security release, resolving a
  defect that could result in a denial of service with some applications.
  Other fixes and improvements are also included in this release.

  mod_fcgid is available for download from:

  A full list of changes in this release follows:

  *) SECURITY: CVE-2013-4365 (
     Fix possible heap buffer overwrite.  Reported and solved by:
     [Robert Matthews <rob>]

  *) Add experimental cmake-based build system for Windows.  [Jeff Trawick]

  *) Correctly parse quotation and escaped spaces in FcgidWrapper and the
     AAA Authenticator/Authorizor/Access directives' command line argument,
     as currently documented.  PR 51194  [William Rowe]

  *) Honor quoted FcgidCmdOptions arguments (notably for InitialEnv
     assignments).  PR 51657  [William Rowe]

  *) Conform script response parsing with mod_cgid and ensure no response
     body is sent when ap_meets_conditions() determines that request
     conditions are met.  [Chris Darroch]

  *) Improve logging in access control hook functions.  [Chris Darroch]

  *) Avoid making internal sub-requests and processing Location headers
     when in FCGI_AUTHORIZER mode, as the auth hook functions already
     treat Location headers returned by scripts as an error since
     redirections are not meaningful in this mode.  [Chris Darroch]

Reply via email to