Debian Bug report logs -
#748910
CVE-2014-0240: Possibility of local privilege escalation when using daemon, mode
Reported by: Eric Sesterhenn <eric.sesterhenn@lsexperts.de>
Date: Thu, 22 May 2014 08:30:13 UTC
Severity: critical
Tags: security
Found in versions mod-wsgi/3.3-4, mod-wsgi/3.3-2
Fixed in versions mod-wsgi/3.5-1, mod-wsgi/3.3-4+deb7u1, mod-wsgi/3.3-2+deb6u1
Done: Felix Geyer <fgeyer@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
:
Bug#748910
; Package libapache2-mod-wsgi
.
(Thu, 22 May 2014 08:30:18 GMT) (full text, mbox, link).
Acknowledgement sent
to Eric Sesterhenn <eric.sesterhenn@lsexperts.de>
:
New Bug report received and forwarded. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
.
(Thu, 22 May 2014 08:30:18 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libapache2-mod-wsgi
Version: 3.3-4
Severity: critical
Tags: security
Justification: root security hole
Dear Maintainer,
as far as I can tell, CVE-2014-0240 affects the stable package of
mod-wsgi. The
patch provided by the mod-wsgi team applies wih fuzzing to the source
shipped
by debian. If a kernel >= 2.6.0 and < 3.1.0 is installed, this issue might
allow local privilege escalation
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.14-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--
LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Geschäftsführer: Oliver Michel, Sven Walther
[mod_wsgi.diff (text/x-patch, attachment)]
[smime.p7s (application/pkcs7-signature, attachment)]
Marked as fixed in versions mod-wsgi/3.5-1.
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org
.
(Thu, 22 May 2014 08:54:10 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org
.
(Thu, 22 May 2014 08:54:11 GMT) (full text, mbox, link).
Notification sent
to Eric Sesterhenn <eric.sesterhenn@lsexperts.de>
:
Bug acknowledged by developer.
(Thu, 22 May 2014 08:54:12 GMT) (full text, mbox, link).
Marked as found in versions mod-wsgi/3.3-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 22 May 2014 09:12:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
:
Bug#748910
; Package libapache2-mod-wsgi
.
(Thu, 22 May 2014 12:12:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Felix Geyer <fgeyer@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
.
(Thu, 22 May 2014 12:12:05 GMT) (full text, mbox, link).
Message #18 received at 748910@bugs.debian.org (full text, mbox, reply):
On 2014-05-22 09:57, Eric Sesterhenn wrote:
> Package: libapache2-mod-wsgi
> Version: 3.3-4
> Severity: critical
> Tags: security
> Justification: root security hole
>
> Dear Maintainer,
>
> as far as I can tell, CVE-2014-0240 affects the stable package of
> mod-wsgi. The
> patch provided by the mod-wsgi team applies wih fuzzing to the source
> shipped
> by debian. If a kernel >= 2.6.0 and < 3.1.0 is installed, this issue
> might
> allow local privilege escalation
I'll upload fixed packages for squeeze and wheezy later today.
Cheers,
Felix
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
:
Bug#748910
; Package libapache2-mod-wsgi
.
(Mon, 26 May 2014 08:39:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Eric Sesterhenn <eric.sesterhenn@lsexperts.de>
:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
.
(Mon, 26 May 2014 08:39:09 GMT) (full text, mbox, link).
Message #23 received at 748910@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello,
I do not see the packages in the repository yet, is there anything I can
help with?
Regards, Eric
On 05/22/2014 01:44 PM, Felix Geyer wrote:
> On 2014-05-22 09:57, Eric Sesterhenn wrote:
>> Package: libapache2-mod-wsgi
>> Version: 3.3-4
>> Severity: critical
>> Tags: security
>> Justification: root security hole
>>
>> Dear Maintainer,
>>
>> as far as I can tell, CVE-2014-0240 affects the stable package of
>> mod-wsgi. The
>> patch provided by the mod-wsgi team applies wih fuzzing to the source
>> shipped
>> by debian. If a kernel >= 2.6.0 and < 3.1.0 is installed, this issue
>> might
>> allow local privilege escalation
>
> I'll upload fixed packages for squeeze and wheezy later today.
>
> Cheers,
> Felix
>
--
LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Geschäftsführer: Oliver Michel, Sven Walther
[smime.p7s (application/pkcs7-signature, attachment)]
Reply sent
to Felix Geyer <fgeyer@debian.org>
:
You have taken responsibility.
(Wed, 04 Jun 2014 06:51:40 GMT) (full text, mbox, link).
Notification sent
to Eric Sesterhenn <eric.sesterhenn@lsexperts.de>
:
Bug acknowledged by developer.
(Wed, 04 Jun 2014 06:51:40 GMT) (full text, mbox, link).
Message #28 received at 748910-close@bugs.debian.org (full text, mbox, reply):
Source: mod-wsgi
Source-Version: 3.3-4+deb7u1
We believe that the bug you reported is fixed in the latest version of
mod-wsgi, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 748910@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Felix Geyer <fgeyer@debian.org> (supplier of updated mod-wsgi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 21 May 2014 22:20:57 +0200
Source: mod-wsgi
Binary: libapache2-mod-wsgi libapache2-mod-wsgi-py3
Architecture: source amd64
Version: 3.3-4+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Felix Geyer <fgeyer@debian.org>
Description:
libapache2-mod-wsgi - Python WSGI adapter module for Apache
libapache2-mod-wsgi-py3 - Python 3 WSGI adapter module for Apache
Closes: 748910
Changes:
mod-wsgi (3.3-4+deb7u1) wheezy-security; urgency=high
.
* Fix possibility of local privilege escalation when using daemon mode.
(Closes: #748910)
- CVE-2014-0240
- debian/patches/CVE-2014-0240.patch: backport upstream commit
* Fix possibility of disclosure via Content-Type response header.
- CVE-2014-0242
- debian/patches/CVE-2014-0242.patch: backport upstream commit
Checksums-Sha1:
7783101cfbe50a9ee53daf5c1f8bbef30d8ba60c 2112 mod-wsgi_3.3-4+deb7u1.dsc
b3c4d968d00c1dfccaf1e2e57eae4f02e19fde3b 12925 mod-wsgi_3.3-4+deb7u1.debian.tar.gz
8ab5fcfc2e6dfd1b58954ebb556ca99560e341ec 135124 libapache2-mod-wsgi_3.3-4+deb7u1_amd64.deb
4d4bb302b2a72c2ae3e5ce9838e1864af0ef2bc9 77444 libapache2-mod-wsgi-py3_3.3-4+deb7u1_amd64.deb
Checksums-Sha256:
c0811ff64a52c49928319b348de74b51b840eb5346f68858053d26492f68304e 2112 mod-wsgi_3.3-4+deb7u1.dsc
693c9cce165dbedf77921fbfcd5b4520c97ac70eca781a8af2b18ef3824b7eff 12925 mod-wsgi_3.3-4+deb7u1.debian.tar.gz
5590603e151ab51a1aaefafa4e14d01599db2f1b21d97b893f1b1db40eaf613f 135124 libapache2-mod-wsgi_3.3-4+deb7u1_amd64.deb
4131711ac6499947d4831dadbd26f72447981a526f5a0131df0f290b6f242677 77444 libapache2-mod-wsgi-py3_3.3-4+deb7u1_amd64.deb
Files:
1eb2e6e2d7982def3f437f4f288ced17 2112 httpd optional mod-wsgi_3.3-4+deb7u1.dsc
95aeea2f766e7376b7172d7ddb6260bc 12925 httpd optional mod-wsgi_3.3-4+deb7u1.debian.tar.gz
a6e53f946c2fb7fe1319e6c7b05e22fe 135124 httpd optional libapache2-mod-wsgi_3.3-4+deb7u1_amd64.deb
2e9a58e2acd96357ddbc69b662b3f2ba 77444 httpd optional libapache2-mod-wsgi-py3_3.3-4+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJTfurEAAoJEP4ixv2DE11FOT4P/irnGCPaU+b1uHOufUBdNkxp
Mf2B/Ze2TkZsd3qEmGr0VAACdYnMW3DfAslHaYYtN2Q3iAUgN7Wo1txBmTN88+16
cUXxwIl8EUJzU2PDE3oQcaIbyVVUF0J5u/EzpU0mGWujKJAuhNIm/Zj5NfoqNARL
dKCE5kiIS/Br8TtDF1d42BHAEePaG3ZxQCLe1Ajaij9yfvlZnrFGKl6YxquAmyMJ
y8HDhZ0dmL8PQwWhPWKDgGpigAJ0cUFyfDbHuTdqvQJRjLbikJSCSQVhElGV1mWI
hkUtu8/76kPO+ZF1OoBxTGWz1Xw9yBaORiyRLklArCQQlA/ybsU/Ds8fVT2/ExS8
aJQNXd7WcosLQRw5dvbqzf4mSy0rf2Geh+Q/jNjqmbqdmu5uw8MGFnxLRkaHzRtR
1OQusIvJuiM1XslcJ9rnLevn1dx09FbC8rnXRioFfc1f2wLaSo7HT/rG6om5mYAM
phYNZlkRvaHb8GDqxfc2PvGY9/n2K1ICIFaoXKRb1y5TGPzsERIwbyY2H9pR1yTE
uH+xmETsWJ7yC3/FBjzuq1o8HByqm6FyW3HT24dGezEAE2HGvTU1OasXJMXtiOXO
vPwojQg0efcl9foZvougbuWXwppV9Gc9P7U2P2bAfLy1HiW7dmD16e+DXtiZPcT/
ScbihnGtTikdPjaZBO/q
=rupe
-----END PGP SIGNATURE-----
Reply sent
to Felix Geyer <fgeyer@debian.org>
:
You have taken responsibility.
(Wed, 04 Jun 2014 12:45:18 GMT) (full text, mbox, link).
Notification sent
to Eric Sesterhenn <eric.sesterhenn@lsexperts.de>
:
Bug acknowledged by developer.
(Wed, 04 Jun 2014 12:45:18 GMT) (full text, mbox, link).
Message #33 received at 748910-close@bugs.debian.org (full text, mbox, reply):
Source: mod-wsgi
Source-Version: 3.3-2+deb6u1
We believe that the bug you reported is fixed in the latest version of
mod-wsgi, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 748910@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Felix Geyer <fgeyer@debian.org> (supplier of updated mod-wsgi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 21 May 2014 22:44:27 +0200
Source: mod-wsgi
Binary: libapache2-mod-wsgi libapache2-mod-wsgi-py3
Architecture: source amd64
Version: 3.3-2+deb6u1
Distribution: squeeze-security
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Felix Geyer <fgeyer@debian.org>
Description:
libapache2-mod-wsgi - Python WSGI adapter module for Apache
libapache2-mod-wsgi-py3 - Python 3 WSGI adapter module for Apache
Closes: 748910
Changes:
mod-wsgi (3.3-2+deb6u1) squeeze-security; urgency=high
.
* Fix possibility of local privilege escalation when using daemon mode.
(Closes: #748910)
- CVE-2014-0240
- Backport upstream commit d9d5fea.
* Fix possibility of disclosure via Content-Type response header.
- CVE-2014-0242
- Backport upstream commit b0a149c.
Checksums-Sha1:
2ae01a7649db41c1b98ff43f1dc0ec0af266ff85 1984 mod-wsgi_3.3-2+deb6u1.dsc
f32d38e5d3ed5de1efd5abefb52678f833dc9166 117930 mod-wsgi_3.3.orig.tar.gz
a8550dc297ccff8ed6ce9ca4489482d09369b7b1 9634 mod-wsgi_3.3-2+deb6u1.diff.gz
0f0e3a843a3e52546d01a3e5e907d164a3e0309f 137214 libapache2-mod-wsgi_3.3-2+deb6u1_amd64.deb
bbed301bb1cb07fcc14b8953b73f498229fc7be6 78176 libapache2-mod-wsgi-py3_3.3-2+deb6u1_amd64.deb
Checksums-Sha256:
cb255ec35759bab60f0387d9c693f1888c107a0a25018fcfdb47c7b1b0eb5e6e 1984 mod-wsgi_3.3-2+deb6u1.dsc
d96e1078990484cfe5579df1e95dc73f009495e9c3f9a066b0983650bd9e3243 117930 mod-wsgi_3.3.orig.tar.gz
d777d62b9159e4f561f400d1c9877a7887856139935852dee052a22c371cdafc 9634 mod-wsgi_3.3-2+deb6u1.diff.gz
94ad04a72ba3451a35870444609db369b8dc6fa59e6ca9e37a8819255e5e630f 137214 libapache2-mod-wsgi_3.3-2+deb6u1_amd64.deb
e4e4b01fb4beb42b9a9499d5d1190923c16e2f8636cdf7de0706eb03921e2eb4 78176 libapache2-mod-wsgi-py3_3.3-2+deb6u1_amd64.deb
Files:
a5a87442f42d1d79bf3771b89c93162f 1984 httpd optional mod-wsgi_3.3-2+deb6u1.dsc
6172bb2bbabcd0c25867c2bc06f99dbb 117930 httpd optional mod-wsgi_3.3.orig.tar.gz
725bd1118990d6db57f5d21e8d1dcaee 9634 httpd optional mod-wsgi_3.3-2+deb6u1.diff.gz
a8403a2ab34e293194e9253d737e5e8c 137214 httpd optional libapache2-mod-wsgi_3.3-2+deb6u1_amd64.deb
e78ffb54d79a09e0fa583e5700f93584 78176 httpd optional libapache2-mod-wsgi-py3_3.3-2+deb6u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJTfhkcAAoJEP4ixv2DE11FxCgQAK9g7MeIr086J9keAdq0Aoby
e2OO4V7HoYObnA6KJ99XihSa4LyAfU+QEe/6HxHMKjVdnToDLfS3+t79dQUHY73t
w431HtbjWKfF2WKAfbFycxhNTa39kuG/dXYaoZCpz0rDC1nybQMypMsOJ1M6gPVz
6YP4nmtqtIRbtPm8Rs3qsUT2J+c6sjuiKqSbKo85d+Cct7ItiTmAf9W62xNAZGfA
A6I/cr5nA8cG743CJ3csw9R8RzF6uothzgPo99F7ZkVXNaPm6dFQojspS44byf9u
iu1tfV0AAt9UWJEKxu6wy63TdPlkIn3Te1tVbAZoJ3Fdir4ml3Jhxs3gW2XwYFdb
pBnSTOoGv/L01pMRfB8Y8jvJcjKOBfbX9C9MQJMMo6mvu7HGDYXo+RYVg7BfqQJi
IecDjMINtQ+aKHzGPTVNT/MrzqRdQJl/3pyUy+8O2YtN+ozw597aUOaezr/iSaK1
qz9Xrbk/tZBCvvatRbLaa0BodV2+s/D2hK0BW47+chQF3zGYYPgIv8EoLcO2QeRx
xRxEXb2O58hOGfCUAzsR4ZYr2d+rvPtoNmSIp+ht4u4tDM+RRkaGFbizbVsAsaGf
z/CxGDH1weXEDJ7m5ww0QbxeQv/DC4tRnX38WHS9wycVYQX2azTLi2IS6zqwktsH
tWRm9LH95LueRa+XW1dz
=P3X9
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 13 Jul 2014 07:25:58 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:39:59 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.