The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.3.9 of mod_fcgid, a FastCGI implementation for Apache HTTP Server versions 2.0, 2.2, and 2.4. This version of mod_fcgid is a security release, resolving a defect that could result in a denial of service with some applications. Other fixes and improvements are also included in this release.
mod_fcgid is available for download from: http://httpd.apache.org/download.cgi#mod_fcgid A full list of changes in this release follows: *) SECURITY: CVE-2013-4365 (cve.mitre.org) Fix possible heap buffer overwrite. Reported and solved by: [Robert Matthews <rob tigertech.com>] *) Add experimental cmake-based build system for Windows. [Jeff Trawick] *) Correctly parse quotation and escaped spaces in FcgidWrapper and the AAA Authenticator/Authorizor/Access directives' command line argument, as currently documented. PR 51194 [William Rowe] *) Honor quoted FcgidCmdOptions arguments (notably for InitialEnv assignments). PR 51657 [William Rowe] *) Conform script response parsing with mod_cgid and ensure no response body is sent when ap_meets_conditions() determines that request conditions are met. [Chris Darroch] *) Improve logging in access control hook functions. [Chris Darroch] *) Avoid making internal sub-requests and processing Location headers when in FCGI_AUTHORIZER mode, as the auth hook functions already treat Location headers returned by scripts as an error since redirections are not meaningful in this mode. [Chris Darroch]