Bug 152896 - CAN-2005-0088 mod_python security issue in the publisher handler
CAN-2005-0088 mod_python security issue in the publisher handler
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: mod_python (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
https://rhn.redhat.com/errata/RHSA-20...
1, LEGACY, rh73, rh90
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-10 13:51 EST by Marc Deslauriers
Modified: 2007-04-18 13:22 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-04-04 20:25:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed FLSA-2006-152896 mod_python advisory text (4.52 KB, text/plain)
2006-04-02 19:34 EDT, David Eisenstein
no flags Details

  None (edit)
Description David Lawrence 2005-03-30 18:31:19 EST
Graham Dumpleton discovered a flaw affecting the publisher handler of
mod_python, used to make objects inside modules callable via URL.
A remote user could visit a carefully crafted URL that would gain access to
objects that should not be visible, leading to an information leak. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2005-0088 to this issue.

Info:
https://rhn.redhat.com/errata/RHSA-2005-104.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0088

Although mitre.org says it's for 2.7.8 and earlier, RH has released updated
3.0.3 packages also.



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:31 -------

This bug previously known as bug 2420 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2420
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Jeff Sheltren 2006-03-11 15:37:48 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've created new packages to fix this problem.  They can be found here:
http://www.cs.ucsb.edu/~jeff/legacy/mod_python/

RH7.3:
7a605ed081921a001e4a5bafe078ac1c467a2320  mod_python-2.7.8-1.7.3.3.legacy.src.rpm
RH9:
4a3c6c79d3ea7050cb07b34bf1d0003232fceb14  mod_python-3.0.1-4.1.legacy.src.rpm
FC1:
6af5ca0588321ca5fa3cb085e2c98e82e3400a2f  mod_python-3.0.4-0.1.1.legacy.src.rpm

The patches were borrowed from EL2/EL3 sources, although I needed to make
a small change to the configure script in order for the packages to build
properly.  The configure would disable linking to the ieee library if
/etc/redhat-release was found.  Since that file isn't present in the
build chroot, I disabled the check, and have it always remove the ieee link.
If someone has a better way to make that work, I'm open to suggestions,
but I find it to be a pretty straight forward solution.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)

iD8DBQFEEzY9Ke7MLJjUbNMRAqfDAJ4uR/+Okkp7AxPkZfz+QubziVo1awCgrYfk
KygFth58feoiAsPrAGn+KyI=
=yx96
-----END PGP SIGNATURE-----
Comment 2 Pekka Savola 2006-03-12 06:37:31 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - CAN patches from RHEL, the ieee patch looks good

+PUBLISH RHL73, RHL9, FC1

7a605ed081921a001e4a5bafe078ac1c467a2320  mod_python-2.7.8-1.7.3.3.legacy.src.rpm
4a3c6c79d3ea7050cb07b34bf1d0003232fceb14  mod_python-3.0.1-4.1.legacy.src.rpm
6af5ca0588321ca5fa3cb085e2c98e82e3400a2f  mod_python-3.0.4-0.1.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFEFAk9GHbTkzxSL7QRAoe3AKCT+j7u7LJRkGjs/G2uYR+qhREoOwCgunlu
N3FwWjeneRW/1Tjim3wOoIY=
=6x3X
-----END PGP SIGNATURE-----
Comment 3 Marc Deslauriers 2006-03-15 20:26:27 EST
Packages were pushed to updates-testing.
Comment 4 Pekka Savola 2006-03-31 00:27:41 EST
Timeout over.
Comment 5 David Eisenstein 2006-04-02 19:34:53 EDT
Created attachment 127216 [details]
Proposed FLSA-2006-152896 mod_python advisory text

Here is a proposed advisory text to push this to updates.
Comment 6 Marc Deslauriers 2006-04-04 20:25:30 EDT
Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.