Bugzilla will be upgraded to version 5.0 on December 2, 2018. The outage period for the upgrade will start at 0:00 UTC and have a duration of 12 hours

Bug 152896

Summary: CAN-2005-0088 mod_python security issue in the publisher handler
Product: [Retired] Fedora Legacy Reporter: Marc Deslauriers <marc.deslauriers>
Component: mod_pythonAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: pekkas, sheltren
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://rhn.redhat.com/errata/RHSA-2005-104.html
Whiteboard: 1, LEGACY, rh73, rh90
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-04-04 20:25:30 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
Proposed FLSA-2006-152896 mod_python advisory text none

Description David Lawrence 2005-03-30 18:31:19 EST
Graham Dumpleton discovered a flaw affecting the publisher handler of
mod_python, used to make objects inside modules callable via URL.
A remote user could visit a carefully crafted URL that would gain access to
objects that should not be visible, leading to an information leak. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2005-0088 to this issue.

Info:
https://rhn.redhat.com/errata/RHSA-2005-104.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0088

Although mitre.org says it's for 2.7.8 and earlier, RH has released updated
3.0.3 packages also.



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:31 -------

This bug previously known as bug 2420 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2420
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Jeff Sheltren 2006-03-11 15:37:48 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've created new packages to fix this problem.  They can be found here:
http://www.cs.ucsb.edu/~jeff/legacy/mod_python/

RH7.3:
7a605ed081921a001e4a5bafe078ac1c467a2320  mod_python-2.7.8-1.7.3.3.legacy.src.rpm
RH9:
4a3c6c79d3ea7050cb07b34bf1d0003232fceb14  mod_python-3.0.1-4.1.legacy.src.rpm
FC1:
6af5ca0588321ca5fa3cb085e2c98e82e3400a2f  mod_python-3.0.4-0.1.1.legacy.src.rpm

The patches were borrowed from EL2/EL3 sources, although I needed to make
a small change to the configure script in order for the packages to build
properly.  The configure would disable linking to the ieee library if
/etc/redhat-release was found.  Since that file isn't present in the
build chroot, I disabled the check, and have it always remove the ieee link.
If someone has a better way to make that work, I'm open to suggestions,
but I find it to be a pretty straight forward solution.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)

iD8DBQFEEzY9Ke7MLJjUbNMRAqfDAJ4uR/+Okkp7AxPkZfz+QubziVo1awCgrYfk
KygFth58feoiAsPrAGn+KyI=
=yx96
-----END PGP SIGNATURE-----
Comment 2 Pekka Savola 2006-03-12 06:37:31 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - CAN patches from RHEL, the ieee patch looks good

+PUBLISH RHL73, RHL9, FC1

7a605ed081921a001e4a5bafe078ac1c467a2320  mod_python-2.7.8-1.7.3.3.legacy.src.rpm
4a3c6c79d3ea7050cb07b34bf1d0003232fceb14  mod_python-3.0.1-4.1.legacy.src.rpm
6af5ca0588321ca5fa3cb085e2c98e82e3400a2f  mod_python-3.0.4-0.1.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFEFAk9GHbTkzxSL7QRAoe3AKCT+j7u7LJRkGjs/G2uYR+qhREoOwCgunlu
N3FwWjeneRW/1Tjim3wOoIY=
=6x3X
-----END PGP SIGNATURE-----
Comment 3 Marc Deslauriers 2006-03-15 20:26:27 EST
Packages were pushed to updates-testing.
Comment 4 Pekka Savola 2006-03-31 00:27:41 EST
Timeout over.
Comment 5 David Eisenstein 2006-04-02 19:34:53 EDT
Created attachment 127216 [details]
Proposed FLSA-2006-152896 mod_python advisory text

Here is a proposed advisory text to push this to updates.
Comment 6 Marc Deslauriers 2006-04-04 20:25:30 EDT
Packages were released to updates.