=========================================================================Ubuntu Security Notice USN-2222-1
May 26, 2014
mod-wsgi vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 13.10
- Ubuntu 12.04 LTS
Summary:
mod_wsgi could be made to run programs as an administrator if it executes
a specially crafted file.
mod_wsgi could be made to expose sensitive information over the network.
Software Description:
- mod-wsgi: Python WSGI adapter module for Apache
Details:
Róbert Kisteleki discovered mod_wsgi incorrectly checked setuid return
values. A malicious application could use this issue to cause a local
privilege escalation when using daemon mode. (CVE-2014-0240)
Buck Golemon discovered that mod_wsgi used memory that had been freed.
A remote attacker could use this issue to read process memory via the
Content-Type response header. This issue only affected Ubuntu 12.04 LTS.
(CVE-2014-0242)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
libapache2-mod-wsgi 3.4-4ubuntu2.1.14.04.1
libapache2-mod-wsgi-py3 3.4-4ubuntu2.1.14.04.1
Ubuntu 13.10:
libapache2-mod-wsgi 3.4-4ubuntu2.1.13.10.1
libapache2-mod-wsgi-py3 3.4-4ubuntu2.1.13.10.1
Ubuntu 12.04 LTS:
libapache2-mod-wsgi 3.3-4ubuntu0.1
libapache2-mod-wsgi-py3 3.3-4ubuntu0.1
After a standard system update you need to restart apache2 to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-2222-1
CVE-2014-0240, CVE-2014-0242
Package Information:
https://launchpad.net/ubuntu/+source/mod-wsgi/3.4-4ubuntu2.1.14.04.1
https://launchpad.net/ubuntu/+source/mod-wsgi/3.4-4ubuntu2.1.13.10.1
https://launchpad.net/ubuntu/+source/mod-wsgi/3.3-4ubuntu0.1