Friday 5th November 2010
Fedora Project
Updated mod_fcgid to 2.3.6 in Rawhide, EPEL-6, F-13, and F-12:
Fix possible stack buffer overwrite (CVE-2010-3872)
Change the default for FcgidMaxRequestLen from 1GB to 128K; administrators should change this to an appropriate value based on site requirements
- Allow FastCGI apps more time to exit at shutdown before being forcefully killed
Correct a problem that resulted in FcgidMaxProcesses being ignored in some situations
Fix the search for processes with the proper vhost config when ServerName isn't set in every vhost or a module updates r->server->server_hostname dynamically (e.g., mod_vhost_cdb) or a module updates r->server dynamically (e.g., mod_vhost_ldap)
FcgidPassHeader now maps header names to environment variable names in the usual manner: the header name is converted to upper case and is prefixed with HTTP_ (an additional environment variable is created with the legacy name)
- Allow processes to be reused within multiple phases of a request by releasing them into the free list as soon as possible
Fix lookup of process command lines when using FcgidWrapper or access control directives, including within .htaccess files
Resolve a regression in 2.3.5 with httpd 2.0.x on some Unix platforms; ownership of mutex files was incorrect, resulting in a startup failure
- Return 500 instead of segfaulting when the application returns no output
In FCGI_AUTHORIZER rĂ´le, avoid spawning a new process for every different HTTP request
Updated mod_fcgid 2.2 in EPEL-4 and EPEL-5 to include backported patches from 2.3.6 for the possible stack buffer overwrite and segfaulting when the application returns no output issues
Built perl-Test-Fatal (0.003) in Rawhide (first Fedora release of this package)
Rebuilt perl-XML-LibXML for libxml2 2.7.8 in Rawhide; many maintainers have have been rebuilding their libxml2-dependent packages today, presumably because of a broken deps report that went out with today's Rawhide compose but that was a side-effect of a shared-library versioning problem in libxml2 that was fixed in 2.7.8-4.fc15, which means that all of the broken deps will be OK again tomorrow anyway. The perl-XML-LibXML package does need to be rebuilt though, because it embeds the version of libxml2 that it was built against into the module, and this is checked in one of the tests in the perl-XML-LibXSLT test suite (built-against version must match run-against version) and hence a rebuild of perl-XML-LibXML is necessary to avoid a FTBFS issue with perl-XML-LibXSLT.
Local Packages
Updated mod_fcgid to 2.3.6 as per the Fedora version, dropping the SELinux policy module for the RHEL-5 build as RHEL-5.5 now contains working policy
Rebuilt perl-XML-LibXML for libxml2 2.7.8