The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.3.9 of mod_fcgid, a
FastCGI implementation for Apache HTTP Server versions 2.0, 2.2, and
2.4. This version of mod_fcgid is a security release, resolving a
defect that could result in a denial of service with some applications.
Other fixes and improvements are also included in this release.
mod_fcgid is available for download from:
http://httpd.apache.org/download.cgi#mod_fcgid
A full list of changes in this release follows:
*) SECURITY: CVE-2013-4365 (cve.mitre.org)
Fix possible heap buffer overwrite. Reported and solved by:
[Robert Matthews <rob tigertech.com>]
*) Add experimental cmake-based build system for Windows. [Jeff Trawick]
*) Correctly parse quotation and escaped spaces in FcgidWrapper and the
AAA Authenticator/Authorizor/Access directives' command line argument,
as currently documented. PR 51194 [William Rowe]
*) Honor quoted FcgidCmdOptions arguments (notably for InitialEnv
assignments). PR 51657 [William Rowe]
*) Conform script response parsing with mod_cgid and ensure no response
body is sent when ap_meets_conditions() determines that request
conditions are met. [Chris Darroch]
*) Improve logging in access control hook functions. [Chris Darroch]
*) Avoid making internal sub-requests and processing Location headers
when in FCGI_AUTHORIZER mode, as the auth hook functions already
treat Location headers returned by scripts as an error since
redirections are not meaningful in this mode. [Chris Darroch]
