Return-Path: X-Original-To: apmail-announce-archive@www.apache.org Delivered-To: apmail-announce-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4493B109FB for ; Tue, 8 Oct 2013 13:33:26 +0000 (UTC) Received: (qmail 14204 invoked by uid 500); 8 Oct 2013 13:33:09 -0000 Delivered-To: apmail-announce-archive@apache.org Received: (qmail 13941 invoked by uid 500); 8 Oct 2013 13:33:07 -0000 Mailing-List: contact announce-help@apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list announce@apache.org Delivered-To: moderator for announce@apache.org Received: (qmail 14564 invoked by uid 99); 8 Oct 2013 11:41:48 -0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of trawick@gmail.com designates 209.85.215.48 as permitted sender) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:cc:content-type; bh=WQpW7DksjMXccGGErFbLTO+7JhjVU59Qp3G7de73BJw=; b=m2If2YuoFczu1IYWgkZHoWB9qh40Ctb/2xcdqBShqVT2sNpOwiTSrjs+OniSdtpGRF ngcRG2nlNen2GfvbPsjJjhpu5pmFNzvyzWRuVui5JhjbkRVkooUP/UXgdXa2caeo+2qG Eu6AAkIfMmb60tJD+aDY6MV6QXq4kp8iV07VjI+5B+iKVCSLo0mg/QCB/OXgzHGYV26T yqU0otXYHopPdD0OiNjjbpTs43QE2bdq0oRmOgperR/ljcNTBU/l37R6arUQDfp4PSyg osPKMeRRqvENJ8dc+O39QgyQd5512HTq6AH/SIlLnHyITP2RcEB+tMVlvw2xhkoGDfsn vqkQ== MIME-Version: 1.0 X-Received: by 10.152.19.97 with SMTP id d1mr1007554lae.34.1381232482821; Tue, 08 Oct 2013 04:41:22 -0700 (PDT) Sender: trawick@gmail.com Date: Tue, 8 Oct 2013 07:41:22 -0400 X-Google-Sender-Auth: iK4uqbpV1NQqGwe6zbn4IzNi6ok Message-ID: Subject: [ANNOUNCE] mod_fcgid 2.3.9 released From: Jeff Trawick To: announce@apache.org Cc: Apache HTTP Server Development List Content-Type: multipart/alternative; boundary=089e0149373c7dab6704e8393f73 X-Virus-Checked: Checked by ClamAV on apache.org --089e0149373c7dab6704e8393f73 Content-Type: text/plain; charset=ISO-8859-1 The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.3.9 of mod_fcgid, a FastCGI implementation for Apache HTTP Server versions 2.0, 2.2, and 2.4. This version of mod_fcgid is a security release, resolving a defect that could result in a denial of service with some applications. Other fixes and improvements are also included in this release. mod_fcgid is available for download from: http://httpd.apache.org/download.cgi#mod_fcgid A full list of changes in this release follows: *) SECURITY: CVE-2013-4365 (cve.mitre.org) Fix possible heap buffer overwrite. Reported and solved by: [Robert Matthews ] *) Add experimental cmake-based build system for Windows. [Jeff Trawick] *) Correctly parse quotation and escaped spaces in FcgidWrapper and the AAA Authenticator/Authorizor/Access directives' command line argument, as currently documented. PR 51194 [William Rowe] *) Honor quoted FcgidCmdOptions arguments (notably for InitialEnv assignments). PR 51657 [William Rowe] *) Conform script response parsing with mod_cgid and ensure no response body is sent when ap_meets_conditions() determines that request conditions are met. [Chris Darroch] *) Improve logging in access control hook functions. [Chris Darroch] *) Avoid making internal sub-requests and processing Location headers when in FCGI_AUTHORIZER mode, as the auth hook functions already treat Location headers returned by scripts as an error since redirections are not meaningful in this mode. [Chris Darroch] --089e0149373c7dab6704e8393f73 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
=A0The Apache Software Foundation and the Apache HTTP= Server Project are
=A0 pleased to announce the release of ve= rsion 2.3.9 of mod_fcgid, a
=A0 FastCGI implementation for Apache= HTTP Server versions 2.0, 2.2, and=A0
=A0 2.4. =A0This version of mod_fcgid is a security release, resolving= a
=A0 defect that could result in a denial of service with some = applications.
=A0 Other fixes and improvements are also included = in this release.

=A0 mod_fcgid is available for download from:


=A0 A full list of changes in this release follows:

=A0 *) SECURITY: CVE-2013-4365 (cve= .mitre.org)
=A0 =A0 =A0Fix possible heap buffer overwrite. = =A0Reported and solved by:
=A0 =A0 =A0[Robert Matthews <rob t= igertech.com>]

=A0 *) Add experimental cmak= e-based build system for Windows. =A0[Jeff Trawick]

=A0 *) Correctly parse quotation and escaped spaces in FcgidWrapper and t= he
=A0 =A0 =A0AAA Authenticator/Authorizor/Access directives' command= line argument,
=A0 =A0 =A0as currently documented. =A0PR 51194 = =A0[William Rowe]

=A0 *) Honor quoted FcgidCmdOpti= ons arguments (notably for InitialEnv
=A0 =A0 =A0assignments). =A0PR 51657 =A0[William Rowe]

<= /div>
=A0 *) Conform script response parsing with mod_cgid and ensure n= o response
=A0 =A0 =A0body is sent when ap_meets_conditions() det= ermines that request
=A0 =A0 =A0conditions are met. =A0[Chris Darroch]

=
=A0 *) Improve logging in access control hook functions. =A0[Chris Dar= roch]

=A0 *) Avoid making internal sub-requests an= d processing Location headers
=A0 =A0 =A0when in FCGI_AUTHORIZER mode, as the auth hook functions al= ready
=A0 =A0 =A0treat Location headers returned by scripts as an= error since
=A0 =A0 =A0redirections are not meaningful in this m= ode. =A0[Chris Darroch]

--089e0149373c7dab6704e8393f73--