Joined: 12 May 2004
|Posted: Sun Dec 14, 2014 1:26 am Post subject: [ GLSA 201412-21 ] mod_wsgi: Privilege escalation
|Gentoo Linux Security Advisory
Title: mod_wsgi: Privilege escalation (GLSA 201412-21)
Exploitable: local, remote
Date: December 13, 2014
Two vulnerabilities have been found in mod_wsgi, the worst of which
could result in local privilege escalation.
mod_wsgi is an Apache2 module for running Python WSGI applications.
Vulnerable: < 3.5
Unaffected: >= 3.5
Architectures: All supported architectures
Two vulnerabilities have been found in mod_wsgi:
- Error codes returned by setuid are not properly handled
- A memory leak exists via the “Content-Type” header
A local attacker may be able to gain escalated privileges. Furthermore,
a remote attacker may be able to obtain sensitive information.
There is no known workaround at this time.
All mod_wsgi users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apache/mod_wsgi-3.5"