Since Jim is talking 2.4.11, I should report this now. We discovered this week in Fedora: mod_wsgi does some interesting things in daemon mode, notably that it allocates a request_rec internally which ends up getting used by httpd.
Reason is, the fix for CVE-2013-5704 extends the request_rec: http://svn.apache.org/r1619884 A mod_wsgi built against <= 2.4.10 will allocate a request_rec using the old, smaller "wrong" size, and hence, if such a build is used with >= 2.4.11, it passes in the wrong-sized request_rec and that breaks later when httpd tries to access r->trailers_*. It's one of those fuzzy boundaries in the API, you can argue mod_wsgi is wrong, but, I could argue it back; the struct *is* public, not got a strong opinion on this personally. Either way, the fix for CVE-2013-5704 ends up breaking backwards compatibility with existing 2.4.x builds of mod_wsgi, which is kind of Bad. I don't have a good proposal for how to fix or avoid this. Worst case, we make clear the mod_wsgi case is API/ABI abuse and warn binary distributors they have to handle this by rebuilding. Regards, Joe
