Text only | Text with Images

The Apache Haus Forum

Forum Topics => News & General Discussion => Topic started by: Gregg on October 08, 2013, 12:51:13 AM

Title: mod_fcgid 2.3.9 for Apache 2.2.x & 2.4 Released
Post by: Gregg on October 08, 2013, 12:51:13 AM
Announcing the release of mod_fcgid 2.3.9 for Apache 2.2 and 2.4.
Available on our download page (http://www.apachehaus.com/cgi-bin/download.plx).

Change in this version consist of:
Changes with mod_fcgid 2.3.9

  *) Revert fix for PR 53693, added in 2.3.8 but undocumented.  Fix
     issues with a minor optimization added in 2.3.8.  [Jeff Trawick]

Changes with mod_fcgid 2.3.8 (Not Released)

  *) SECURITY: CVE-2013-4365 (cve.mitre.org)
     Fix possible heap buffer overwrite.  Reported and solved by:
     [Robert Matthews <rob tigertech.com>]

  *) Correctly parse quotation and escaped spaces in FcgidWrapper and the
     AAA Authenticator/Authorizor/Access directives' command line argument,
     as currently documented.  PR 51194  [William Rowe]

  *) Honor quoted FcgidCmdOptions arguments (notably for InitialEnv
     assignments).  PR 51657  [William Rowe]

  *) Conform script response parsing with mod_cgid and ensure no response
     body is sent when ap_meets_conditions() determines that request
     conditions are met.  [Chris Darroch]

  *) Improve logging in access control hook functions.  [Chris Darroch]

  *) Avoid making internal sub-requests and processing Location headers
     when in FCGI_AUTHORIZER mode, as the auth hook functions already
     treat Location headers returned by scripts as an error since
     redirections are not meaningful in this mode.  [Chris Darroch]
Title: Re: mod_fcgid 2.3.9 for Apache 2.2.x & 2.4 Released
Post by: chromerep on October 09, 2013, 02:07:22 AM
Does this release fix the mentioned issue?(http://www.apachelounge.com/viewtopic.php?p=25699#25699)
Title: Re: mod_fcgid 2.3.9 for Apache 2.2.x & 2.4 Released
Post by: mario on October 09, 2013, 11:11:33 AM
Quote from: chromerep on October 09, 2013, 02:07:22 AM
Does this release fix the mentioned issue?(http://www.apachelounge.com/viewtopic.php?p=25699#25699)

Yes it does.

Quote
  *) Correctly parse quotation and escaped spaces in FcgidWrapper and the
     AAA Authenticator/Authorizor/Access directives' command line argument,
     as currently documented.  PR 51194  [William Rowe]
Title: Re: mod_fcgid 2.3.9 for Apache 2.2.x & 2.4 Released
Post by: mario on October 09, 2013, 01:52:13 PM
Some users complained that for them the bug still exists. Well you have to escape the white spaces.
Title: Re: mod_fcgid 2.3.9 for Apache 2.2.x & 2.4 Released
Post by: Gregg on October 09, 2013, 06:11:15 PM
Yes you have to escape white spaces, as the change clearly states. I agree it's strange, but it allows you to have the white space which is much better than what it was in prior versions.
Title: Re: mod_fcgid 2.3.9 for Apache 2.2.x & 2.4 Released
Post by: chromerep on October 09, 2013, 11:20:55 PM
If I set vhost,should I add white space to the path setting?
Title: Re: mod_fcgid 2.3.9 for Apache 2.2.x & 2.4 Released
Post by: mario on October 11, 2013, 12:04:45 PM
Nope ypu should add white space unless you have to!

The new version shall be able to handle white space if you escape it with \ (backslash). But not using white space in your paths in the better option.
Text only | Text with Images