drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Zwei Probleme in mod_wsgi
Name: |
Zwei Probleme in mod_wsgi |
|
ID: |
USN-2222-1 |
|
Distribution: |
Ubuntu |
|
Plattformen: |
Ubuntu 12.04 LTS, Ubuntu 13.10, Ubuntu 14.04 LTS |
|
Datum: |
Mo, 26. Mai 2014, 17:05 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0240
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0242 |
|
Applikationen: |
mod_wsgi |
|
Originalnachricht |
--===============0338013512260932709== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="AhhlLboLdkugWU4S" Content-Disposition: inline
--AhhlLboLdkugWU4S Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inlin Content-Transfer-Encoding: quoted-printable
========================================================================== Ubuntu Security Notice USN-2222-1 May 26, 2014
mod-wsgi vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS - Ubuntu 13.10 - Ubuntu 12.04 LTS
Summary:
mod_wsgi could be made to run programs as an administrator if it executes a specially crafted file.
mod_wsgi could be made to expose sensitive information over the network.
Software Description: - mod-wsgi: Python WSGI adapter module for Apache
Details:
Róbert Kisteleki discovered mod_wsgi incorrectly checked setuid return values. A malicious application could use this issue to cause a local privilege escalation when using daemon mode. (CVE-2014-0240)
Buck Golemon discovered that mod_wsgi used memory that had been freed. A remote attacker could use this issue to read process memory via the Content-Type response header. This issue only affected Ubuntu 12.04 LTS. (CVE-2014-0242)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 14.04 LTS: libapache2-mod-wsgi 3.4-4ubuntu2.1.14.04.1 libapache2-mod-wsgi-py3 3.4-4ubuntu2.1.14.04.1
Ubuntu 13.10: libapache2-mod-wsgi 3.4-4ubuntu2.1.13.10.1 libapache2-mod-wsgi-py3 3.4-4ubuntu2.1.13.10.1
Ubuntu 12.04 LTS: libapache2-mod-wsgi 3.3-4ubuntu0.1 libapache2-mod-wsgi-py3 3.3-4ubuntu0.1
After a standard system update you need to restart apache2 to make all the necessary changes.
References: http://www.ubuntu.com/usn/usn-2222-1 CVE-2014-0240, CVE-2014-0242
Package Information: https://launchpad.net/ubuntu/+source/mod-wsgi/3.4-4ubuntu2.1.14.04.1 https://launchpad.net/ubuntu/+source/mod-wsgi/3.4-4ubuntu2.1.13.10.1 https://launchpad.net/ubuntu/+source/mod-wsgi/3.3-4ubuntu0.1
--AhhlLboLdkugWU4S Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEcBAEBAgAGBQJTgz6LAAoJEPMhclmdjS6XvSAH/R41L4Ug9twiIIo6zhucdSCc Wt9CCZm+DnFdOczlFL6DSHKmGd/O4PrAyp/48zcZ8dAKkGEd2jemUMz4rU8LcQKV QouXbotB/D8jOBU8z6bzvxElo7weay5ZDPhx7h7xURv434/RKQ5GmqyCP4Ho3dhA Zt5Nt7jXkaUIjb2qoGRlmqzg2uAJekDB+vd4HfB0KnhL7zgG3mfBnpWIR2DTLP+F whlSfOvJbXbHnztLkK2JnyxhjTLBZ70bWY/T61guJZHWF0oXCgHLX9+2Ebjhkv5D GkucOR4ozWPXqR8DnJktRQlQirjp3qXjCJ7auPRlw1GhsuEfulb2uXLHgqR7G2o= =FpSp -----END PGP SIGNATURE-----
--AhhlLboLdkugWU4S--
--===============0338013512260932709== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
--===============0338013512260932709==--
|
|
|
|