Red Hat Bugzilla – Bug 231065
CVE-2004-2680 mod_python arbitrary data disclosure flaw
Last modified: 2012-02-23 23:38:55 EST
A rather old mod_python flaw has recently been brought to our attention by Kees
Cook from Ubuntu.
This flaw is described here:
This flaw also affects RHEL2.1 and RHEL3.
Created attachment 149298 [details]
I'm not convinced this should be considered a security issue.
The bug in question can only triggered by use of an output filter; such an
output filter could already execute arbitrary code with the privileges of the
That was my initial impression as well, but after thinking about this flaw for a
bit, it is possible for a remote users to leverage this to expose random memory.
I'm thinking an instance where an attacker can cause the page in question to
return a great deal of data, which would also contain our random memory.
I know this is unlikely, which is why I've rated the flaw as low.
Fair enough. This issue only affects mod_python versions which work with httpd
2.x, so the RHEL2.1 mod_python package is not affected by this issue.
*** Bug 236578 has been marked as a duplicate of this bug. ***
The Red Hat Security Response Team has rated this issue as having low security impact. We no longer plan to fix this flaw in Red Hat Enterprise Linux 4.