mod_wsgi allows you to host Python applications on the Apache HTTP Server. It was reported that mod_wsgi failed to handle errors when attempting to drop group privileges. An error would be printed, but mod_wsgi would continue running with root group privileges.
If an administrator has configured mod_wsgi to allow less trusted users to run a WSGI application, they could use this flaw to escalate their privileges if a group-dropping function failed.
This issue has been fixed in the 4.2.4 release:
Created python26-mod_wsgi tracking bugs for this issue:
Affects: epel-5 [bug 1111037]
Created mod_wsgi tracking bugs for this issue:
Affects: fedora-all [bug 1111035]
Affects: epel-5 [bug 1111036]
Created attachment 910266 [details]
mod_wsgi-4.2.3 Vs mod_wsgi-4.2.4 diff
A diff of upstream versions mod_wsgi-4.2.3 and mod_wsgi-4.2.4.zip. Note all the extra return() calls.
CVE request: http://www.openwall.com/lists/oss-security/2014/06/19/7
Red Hat Update Infrastructure 2.1.3 is now in Production 2 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Update Infrastructure Life Cycle: https://access.redhat.com/support/policy/updates/rhui.
CVE-2014-8583 was assigned to this issue: http://seclists.org/oss-sec/2014/q4/519
This issue affects the versions of mod_wsgi as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.