File: version-4.4.6.rst

package info (click to toggle)
mod-wsgi 5.0.2-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 2,824 kB
  • sloc: ansic: 15,512; python: 3,697; makefile: 219; sh: 107
file content (64 lines) | stat: -rw-r--r-- 2,863 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
 
=============
Version 4.4.6
=============

Version 4.4.6 of mod_wsgi can be obtained from:

  https://codeload.github.com/GrahamDumpleton/mod_wsgi/tar.gz/4.4.6

For details on the availability of Windows binaries see:

  https://github.com/GrahamDumpleton/mod_wsgi/tree/master/win32

Bugs Fixed
----------

1. Apache 2.2.29 and 2.4.11 introduce additional fields to the request
structure ``request_rec`` due to CVE-2013-5704. The addition of these
fields will cause versions of mod_wsgi from 4.4.0-4.4.5 to crash when used
in mod_wsgi daemon mode and mod_wsgi isn't initialising the new structure
members.

If you are upgrading your Apache installation to those versions or later
versions, you must also update to mod_wsgi version 4.4.6. The mod_wsgi
4.4.6 source code must have also been compiled against the newer Apache
version.

In recompiling mod_wsgi 4.4.6 source code against the newer Apache versions
the source code is able to detect the new fields exist at compile time by
checking a compile time version number.

One problem that can arise is that where a CVE is raised for a security
issue, Linux distributions will back port the change to older Apache
versions. When they do this though, the compile time version number isn't
changed, so mod_wsgi cannot detect at compile time when built against
Apache versions with the backport that the additional fields exist.

To combat this problem, mod_wsgi will do some runtime checks which look at
the actual size of ``request_rec`` and calculate whether the additional
fields have been added by way of a backported change. In this case mod_wsgi
will then set the fields as necessary.

As a final fail safe for forward compatibility. If the current mod_wsgi
source code is compiled against a version of Apache which doesn't have the
CVE change applied, it will pad the ``request_rec`` and optimistically set
the fields anyway. This is to deal with the situation where mod_wsgi is
compiled against an older Apache and then that Apache is upgraded to one
with the CVE change, but mod_wsgi is not recompiled so that the additional
fields can be detected at compile time.

2. Override ``LC_ALL`` environment variable when ``locale`` option to the
``WSGIDaemonProcess`` directive. It is not always sufficient to just call
``setlocale()`` as some Python code, including interpreter initialisation
can still consult the original ``LC_ALL`` environment variable. In this
case this can result in an undesired file system encoding still being
selected.

New Features
------------

1. Added ``--enable-gdb`` option to ``mod_wsgi-express`` for when running
in debug mode. With this option set, Apache will be started up within
``gdb`` allowing the debug of process crashes on startup or while handling
requests. If the ``gdb`` program is not in ``PATH``, the ``--gdb-executable``
option can be set to give its location.