Synopsis: Important: mod_wsgi security update
Advisory ID: SLSA-2014:0788-1
Issue Date: 2014-06-25
CVE Numbers: CVE-2014-0240
CVE-2014-0242
—
It was found that mod_wsgi did not properly drop privileges if the call to
setuid() failed. If mod_wsgi was set up to allow unprivileged users to run
WSGI applications, a local user able to run a WSGI application could
possibly use this flaw to escalate their privileges on the system.
(CVE-2014-0240)
Note: mod_wsgi is not intended to provide privilege separation for WSGI
applications. Systems relying on mod_wsgi to limit or sandbox the
privileges of mod_wsgi applications should migrate to a different solution
with proper privilege separation.
It was discovered that mod_wsgi could leak memory of a hosted web
application via the “Content-Type” header. A remote attacker could
possibly use this flaw to disclose limited portions of the web
application’s memory. (CVE-2014-0242)
—
SL6
x86_64
mod_wsgi-3.2-6.el6_5.x86_64.rpm
mod_wsgi-debuginfo-3.2-6.el6_5.x86_64.rpm
i386
mod_wsgi-3.2-6.el6_5.i686.rpm
mod_wsgi-debuginfo-3.2-6.el6_5.i686.rpm
srpm
mod_wsgi-3.2-6.el6_5.src.rpm
noarch
mod_wsgi-debuginfo-3.2-6.el6_5.x86_64.rpm
mod_wsgi-debuginfo-3.2-6.el6_5.i686.rpm
– Scientific Linux Development Team
