Login
Newsletter
Werbung

Sicherheit: Zwei Probleme in mod_wsgi
Aktuelle Meldungen Distributionen
Name: Zwei Probleme in mod_wsgi
ID: USN-2222-1
Distribution: Ubuntu
Plattformen: Ubuntu 12.04 LTS, Ubuntu 13.10, Ubuntu 14.04 LTS
Datum: Mo, 26. Mai 2014, 17:05
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0240
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0242
Applikationen: mod_wsgi

Originalnachricht


--===============0338013512260932709==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="AhhlLboLdkugWU4S"
Content-Disposition: inline


--AhhlLboLdkugWU4S
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inlin
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-2222-1
May 26, 2014

mod-wsgi vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS
- Ubuntu 13.10
- Ubuntu 12.04 LTS

Summary:

mod_wsgi could be made to run programs as an administrator if it executes
a specially crafted file.

mod_wsgi could be made to expose sensitive information over the network.

Software Description:
- mod-wsgi: Python WSGI adapter module for Apache

Details:

Róbert Kisteleki discovered mod_wsgi incorrectly checked setuid return
values. A malicious application could use this issue to cause a local
privilege escalation when using daemon mode. (CVE-2014-0240)

Buck Golemon discovered that mod_wsgi used memory that had been freed.
A remote attacker could use this issue to read process memory via the
Content-Type response header. This issue only affected Ubuntu 12.04 LTS.
(CVE-2014-0242)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
libapache2-mod-wsgi 3.4-4ubuntu2.1.14.04.1
libapache2-mod-wsgi-py3 3.4-4ubuntu2.1.14.04.1

Ubuntu 13.10:
libapache2-mod-wsgi 3.4-4ubuntu2.1.13.10.1
libapache2-mod-wsgi-py3 3.4-4ubuntu2.1.13.10.1

Ubuntu 12.04 LTS:
libapache2-mod-wsgi 3.3-4ubuntu0.1
libapache2-mod-wsgi-py3 3.3-4ubuntu0.1

After a standard system update you need to restart apache2 to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2222-1
CVE-2014-0240, CVE-2014-0242

Package Information:
https://launchpad.net/ubuntu/+source/mod-wsgi/3.4-4ubuntu2.1.14.04.1
https://launchpad.net/ubuntu/+source/mod-wsgi/3.4-4ubuntu2.1.13.10.1
https://launchpad.net/ubuntu/+source/mod-wsgi/3.3-4ubuntu0.1


--AhhlLboLdkugWU4S
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJTgz6LAAoJEPMhclmdjS6XvSAH/R41L4Ug9twiIIo6zhucdSCc
Wt9CCZm+DnFdOczlFL6DSHKmGd/O4PrAyp/48zcZ8dAKkGEd2jemUMz4rU8LcQKV
QouXbotB/D8jOBU8z6bzvxElo7weay5ZDPhx7h7xURv434/RKQ5GmqyCP4Ho3dhA
Zt5Nt7jXkaUIjb2qoGRlmqzg2uAJekDB+vd4HfB0KnhL7zgG3mfBnpWIR2DTLP+F
whlSfOvJbXbHnztLkK2JnyxhjTLBZ70bWY/T61guJZHWF0oXCgHLX9+2Ebjhkv5D
GkucOR4ozWPXqR8DnJktRQlQirjp3qXjCJ7auPRlw1GhsuEfulb2uXLHgqR7G2o=
=FpSp
-----END PGP SIGNATURE-----

--AhhlLboLdkugWU4S--


--===============0338013512260932709==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============0338013512260932709==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung