|Category:||Red Hat Local Security Checks|
|Title:||RedHat Update for mod_wsgi RHSA-2014:1091-01|
|Summary:||The remote host is missing an update for the 'mod_wsgi'; package(s) announced via the referenced advisory.|
The remote host is missing an update for the 'mod_wsgi'
package(s) announced via the referenced advisory.
The mod_wsgi adapter is an Apache module that provides a WSGI-compliant
interface for hosting Python-based web applications within Apache.
It was found that mod_wsgi did not properly drop privileges if the call to
setuid() failed. If mod_wsgi was set up to allow unprivileged users to run
WSGI applications, a local user able to run a WSGI application could
possibly use this flaw to escalate their privileges on the system.
Note: mod_wsgi is not intended to provide privilege separation for WSGI
applications. Systems relying on mod_wsgi to limit or sandbox the
privileges of mod_wsgi applications should migrate to a different solution
with proper privilege separation.
Red Hat would like to thank Graham Dumpleton for reporting this issue.
Upstream acknowledges Robert Kisteleki as the original reporter.
All mod_wsgi users are advised to upgrade to this updated package, which
contains a backported patch to correct this issue.
mod_wsgi on Red Hat Enterprise Linux Server (v. 7)
Please Install the Updated Packages.
Common Vulnerability Exposure (CVE) ID: CVE-2014-0240|
BugTraq ID: 67532
RedHat Security Advisories: RHSA-2014:0789
|Copyright||Copyright (C) 2014 Greenbone Networks GmbH|
|This is only one of 97459 vulnerability tests in our test suite. Find out more about running a complete security audit.|
To run a free test of this vulnerability against your system, register below.