[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244411

 
 

909

 
 

193363

 
 

277

Paid content will be excluded from the download.


Download | Alert*
OVAL

RHSA-2014:1091-01 -- Redhat mod_wsgi

ID: oval:org.secpod.oval:def:501370Date: (C)2014-09-02   (M)2023-07-28
Class: PATCHFamily: unix




The mod_wsgi adapter is an Apache module that provides a WSGI-compliant interface for hosting Python-based web applications within Apache. It was found that mod_wsgi did not properly drop privileges if the call to setuid failed. If mod_wsgi was set up to allow unprivileged users to run WSGI applications, a local user able to run a WSGI application could possibly use this flaw to escalate their privileges on the system. Note: mod_wsgi is not intended to provide privilege separation for WSGI applications. Systems relying on mod_wsgi to limit or sandbox the privileges of mod_wsgi applications should migrate to a different solution with proper privilege separation. Red Hat would like to thank Graham Dumpleton for reporting this issue. Upstream acknowledges Robert Kisteleki as the original reporter. All mod_wsgi users are advised to upgrade to this updated package, which contains a backported patch to correct this issue.

Platform:
Red Hat Enterprise Linux 7
Product:
mod_wsgi
Reference:
RHSA-2014:1091-01
CVE-2014-0240
CVE    1
CVE-2014-0240
CPE    23
cpe:/a:modwsgi:mod_wsgi:1.2
cpe:/a:modwsgi:mod_wsgi:2.1
cpe:/a:modwsgi:mod_wsgi:3.0
cpe:/a:modwsgi:mod_wsgi:1.3
...

© SecPod Technologies