[ANNOUNCE] mod_fcgid 2.3.6 is released

  The Apache Software Foundation and the Apache HTTP Server Project are
  pleased to announce the release of version 2.3.6 of mod_fcgid, a
  FastCGI implementation for Apache HTTP Server versions 2.0, 2.2, and
  future 2.4.  This version of mod_fcgid is a bug fix release.

  A fix is included for CVE-2010-3872, a potential vulnerability which
  can affect sites with untrusted FastCGI applications.

  Additionally, default configuration settings for request body handling
  have been changed to prevent large system resource use.  Administrators
  of all versions of mod_fcgid are strongly cautioned to ensure that
  FcgidMaxRequestLen is configured appropriately.

  mod_fcgid is available for download from:

    http://httpd.apache.org/download.cgi

  A full list of changes in this release follows:

  *) SECURITY: CVE-2010-3872 (cve.mitre.org)
     Fix possible stack buffer overwrite.  Diagnosed by the reporter.
     PR 49406.  [Edgar Frank <ef-lists email.de>]

  *) Change the default for FcgidMaxRequestLen from 1GB to 128K.
     Administrators should change this to an appropriate value based on
     site requirements.  [Jeff Trawick]

  *) Allow FastCGI apps more time to exit at shutdown before being
     forcefully killed.  [Jeff Trawick]

  *) Correct a problem that resulted in FcgidMaxProcesses being ignored
     in some situations.  PR 48981.  [<rkosolapov gmail.com>]

  *) Fix the search for processes with the proper vhost config when
     ServerName isn't set in every vhost or a module updates
     r->server->server_hostname dynamically (e.g., mod_vhost_cdb)
     or a module updates r->server dynamically (e.g., mod_vhost_ldap).
     [Jeff Trawick]

  *) FcgidPassHeader now maps header names to environment variable names
     in the usual manner: The header name is converted to upper case and
     is prefixed with HTTP_.  An additional environment variable is
     created with the legacy name.  PR 48964.  [Jeff Trawick]

  *) Allow processes to be reused within multiple phases of a request
     by releasing them into the free list as soon as possible.
     [Chris Darroch]

  *) Fix lookup of process command lines when using FcgidWrapper or
     access control directives, including within .htaccess files.
     [Chris Darroch]

  *) Resolve a regression in 2.3.5 with httpd 2.0.x on some Unix platforms;
     ownership of mutex files was incorrect, resulting in a startup failure.
     PR 48651.  [Jeff Trawick, <pservit gmail.com>]

  *) Return 500 instead of segfaulting when the application returns no output.
     [Tatsuki Sugiura <sugi nemui.org>, Jeff Trawick]

  *) In FCGI_AUTHORIZER role, avoid spawning a new process for every
     different HTTP request.  [Chris Darroch]


Leave a Reply