CentOS Local Security Checks : CentOS Update for mod

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.881956

Categoría: CentOS Local Security Checks

Título: CentOS Update for mod_wsgi CESA-2014:0788 centos6

Resumen: The remote host is missing an update for the 'mod_wsgi'; package(s) announced via the referenced advisory.

Descripción: Summary:
The remote host is missing an update for the 'mod_wsgi'
package(s) announced via the referenced advisory.

Vulnerability Insight:
The mod_wsgi adapter is an Apache module that provides a
WSGI-compliant interface for hosting Python-based web applications within
Apache.

It was found that mod_wsgi did not properly drop privileges if the call to
setuid() failed. If mod_wsgi was set up to allow unprivileged users to run
WSGI applications, a local user able to run a WSGI application could
possibly use this flaw to escalate their privileges on the system.
(CVE-2014-0240)

Note: mod_wsgi is not intended to provide privilege separation for WSGI
applications. Systems relying on mod_wsgi to limit or sandbox the
privileges of mod_wsgi applications should migrate to a different solution
with proper privilege separation.

It was discovered that mod_wsgi could leak memory of a hosted web
application via the 'Content-Type' header. A remote attacker could possibly
use this flaw to disclose limited portions of the web application's memory.
(CVE-2014-0242)

Red Hat would like to thank Graham Dumpleton for reporting these issues.
Upstream acknowledges Robert Kisteleki as the original reporter of
CVE-2014-0240, and Buck Golemon as the original reporter of CVE-2014-0242.

All mod_wsgi users are advised to upgrade to this updated package, which
contains backported patches to correct these issues.

Affected Software/OS:
mod_wsgi on CentOS 6

Solution:
Please install the updated packages.

CVSS Score:
6.2

CVSS Vector:
AV:L/AC:H/Au:N/C:C/I:C/A:C

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2014-0240
BugTraq ID: 67532
http://www.securityfocus.com/bid/67532
http://www.openwall.com/lists/oss-security/2014/05/21/1
RedHat Security Advisories: RHSA-2014:0789
http://rhn.redhat.com/errata/RHSA-2014-0789.html
http://secunia.com/advisories/59551
http://secunia.com/advisories/60094
Common Vulnerability Exposure (CVE) ID: CVE-2014-0242
http://blog.dscpl.com.au/2014/05/security-release-for-modwsgi-version-35.html
http://modwsgi.readthedocs.org/en/latest/release-notes/version-3.4.html
http://www.securityfocus.com/bid/67534

Copyright Copyright (C) 2014 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.881956
Categoría:	CentOS Local Security Checks
Título:	CentOS Update for mod_wsgi CESA-2014:0788 centos6
Resumen:	The remote host is missing an update for the 'mod_wsgi'; package(s) announced via the referenced advisory.
Descripción:	Summary: The remote host is missing an update for the 'mod_wsgi' package(s) announced via the referenced advisory. Vulnerability Insight: The mod_wsgi adapter is an Apache module that provides a WSGI-compliant interface for hosting Python-based web applications within Apache. It was found that mod_wsgi did not properly drop privileges if the call to setuid() failed. If mod_wsgi was set up to allow unprivileged users to run WSGI applications, a local user able to run a WSGI application could possibly use this flaw to escalate their privileges on the system. (CVE-2014-0240) Note: mod_wsgi is not intended to provide privilege separation for WSGI applications. Systems relying on mod_wsgi to limit or sandbox the privileges of mod_wsgi applications should migrate to a different solution with proper privilege separation. It was discovered that mod_wsgi could leak memory of a hosted web application via the 'Content-Type' header. A remote attacker could possibly use this flaw to disclose limited portions of the web application's memory. (CVE-2014-0242) Red Hat would like to thank Graham Dumpleton for reporting these issues. Upstream acknowledges Robert Kisteleki as the original reporter of CVE-2014-0240, and Buck Golemon as the original reporter of CVE-2014-0242. All mod_wsgi users are advised to upgrade to this updated package, which contains backported patches to correct these issues. Affected Software/OS: mod_wsgi on CentOS 6 Solution: Please install the updated packages. CVSS Score: 6.2 CVSS Vector: AV:L/AC:H/Au:N/C:C/I:C/A:C
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2014-0240 BugTraq ID: 67532 http://www.securityfocus.com/bid/67532 http://www.openwall.com/lists/oss-security/2014/05/21/1 RedHat Security Advisories: RHSA-2014:0789 http://rhn.redhat.com/errata/RHSA-2014-0789.html http://secunia.com/advisories/59551 http://secunia.com/advisories/60094 Common Vulnerability Exposure (CVE) ID: CVE-2014-0242 http://blog.dscpl.com.au/2014/05/security-release-for-modwsgi-version-35.html http://modwsgi.readthedocs.org/en/latest/release-notes/version-3.4.html http://www.securityfocus.com/bid/67534
Copyright	Copyright (C) 2014 Greenbone AG