| Revision Date: | 2014-08-18 | Version: | 8 |
| Title: | RHSA-2014:0788: mod_wsgi security update (Important) |
| Description: | The mod_wsgi adapter is an Apache module that provides a WSGI-compliantinterface for hosting Python-based web applications within Apache.It was found that mod_wsgi did not properly drop privileges if the call tosetuid() failed. If mod_wsgi was set up to allow unprivileged users to runWSGI applications, a local user able to run a WSGI application couldpossibly use this flaw to escalate their privileges on the system.(CVE-2014-0240)Note: mod_wsgi is not intended to provide privilege separation for WSGIapplications. Systems relying on mod_wsgi to limit or sandbox theprivileges of mod_wsgi applications should migrate to a different solutionwith proper privilege separation.It was discovered that mod_wsgi could leak memory of a hosted webapplication via the "Content-Type" header. A remote attacker could possiblyuse this flaw to disclose limited portions of the web application's memory.(CVE-2014-0242)Red Hat would like to thank Graham Dumpleton for reporting these issues.Upstream acknowledges Róbert Kisteleki as the original reporter ofCVE-2014-0240, and Buck Golemon as the original reporter of CVE-2014-0242.All mod_wsgi users are advised to upgrade to this updated package, whichcontains backported patches to correct these issues. |
| Family: | unix | Class: | patch |
| Status: | ACCEPTED | Reference(s): | CESA-2014:0788
CVE-2014-0240
CVE-2014-0242
RHSA-2014:0788-00
|
| Platform(s): | CentOS Linux 6
Red Hat Enterprise Linux 6
| Product(s): | mod_wsgi
|
| Definition Synopsis |
| mod_wsgi is earlier than 0:3.2-6.el6_5 AND Redhat 6 or Centos 6 release
The operating system installed on the system is Red Hat Enterprise Linux 6
OR The operating system installed on the system is CentOS Linux 6.x
|