Version 4.4.6

Version 4.4.6 of mod_wsgi can be obtained from:

For details on the availability of Windows binaries see:

Bugs Fixed

1. Apache 2.2.29 and 2.4.11 introduce additional fields to the request structure request_rec due to CVE-2013-5704. The addition of these fields will cause versions of mod_wsgi from 4.4.0-4.4.5 to crash when used in mod_wsgi daemon mode and mod_wsgi isn’t initialising the new structure members.

If you are upgrading your Apache installation to those versions or later versions, you must also update to mod_wsgi version 4.4.6. The mod_wsgi 4.4.6 source code must have also been compiled against the newer Apache version.

In recompiling mod_wsgi 4.4.6 source code against the newer Apache versions the source code is able to detect the new fields exist at compile time by checking a compile time version number.

One problem that can arise is that where a CVE is raised for a security issue, Linux distributions will back port the change to older Apache versions. When they do this though, the compile time version number isn’t changed, so mod_wsgi cannot detect at compile time when built against Apache versions with the backport that the additional fields exist.

To combat this problem, mod_wsgi will do some runtime checks which look at the actual size of request_rec and calculate whether the additional fields have been added by way of a backported change. In this case mod_wsgi will then set the fields as necessary.

As a final fail safe for forward compatibility. If the current mod_wsgi source code is compiled against a version of Apache which doesn’t have the CVE change applied, it will pad the request_rec and optimistically set the fields anyway. This is to deal with the situation where mod_wsgi is compiled against an older Apache and then that Apache is upgraded to one with the CVE change, but mod_wsgi is not recompiled so that the additional fields can be detected at compile time.

2. Override LC_ALL environment variable when locale option to the WSGIDaemonProcess directive. It is not always sufficient to just call setlocale() as some Python code, including interpreter initialisation can still consult the original LC_ALL environment variable. In this case this can result in an undesired file system encoding still being selected.

New Features

1. Added --enable-gdb option to mod_wsgi-express for when running in debug mode. With this option set, Apache will be started up within gdb allowing the debug of process crashes on startup or while handling requests. If the gdb program is not in PATH, the --gdb-executable option can be set to give its location.