GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Sun Dec 14, 2014 1:26 am Post subject: [ GLSA 201412-21 ] mod_wsgi: Privilege escalation |
|
|
Gentoo Linux Security Advisory
Title: mod_wsgi: Privilege escalation (GLSA 201412-21)
Severity: high
Exploitable: local, remote
Date: December 13, 2014
Bug(s): #510938
ID: 201412-21
Synopsis
Two vulnerabilities have been found in mod_wsgi, the worst of which
could result in local privilege escalation.
Background
mod_wsgi is an Apache2 module for running Python WSGI applications.
Affected Packages
Package: www-apache/mod_wsgi
Vulnerable: < 3.5
Unaffected: >= 3.5
Architectures: All supported architectures
Description
Two vulnerabilities have been found in mod_wsgi: - Error codes returned by setuid are not properly handled
(CVE-2014-0240)
- A memory leak exists via the “Content-Type” header
(CVE-2014-0242)
Impact
A local attacker may be able to gain escalated privileges. Furthermore,
a remote attacker may be able to obtain sensitive information.
Workaround
There is no known workaround at this time.
Resolution
All mod_wsgi users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apache/mod_wsgi-3.5"
|
References
CVE-2014-0240
CVE-2014-0242 |
|