mod_wsgi allows you to host Python applications on the Apache HTTP Server. It was reported that mod_wsgi failed to handle errors when attempting to drop group privileges. An error would be printed, but mod_wsgi would continue running with root group privileges. If an administrator has configured mod_wsgi to allow less trusted users to run a WSGI application, they could use this flaw to escalate their privileges if a group-dropping function failed. This issue has been fixed in the 4.2.4 release: http://modwsgi.readthedocs.org/en/latest/release-notes/version-4.2.4.html References: http://seclists.org/oss-sec/2014/q2/545 http://seclists.org/oss-sec/2014/q2/555
Created python26-mod_wsgi tracking bugs for this issue: Affects: epel-5 [bug 1111037]
Created mod_wsgi tracking bugs for this issue: Affects: fedora-all [bug 1111035] Affects: epel-5 [bug 1111036]
Created attachment 910266 [details] mod_wsgi-4.2.3 Vs mod_wsgi-4.2.4 diff A diff of upstream versions mod_wsgi-4.2.3 and mod_wsgi-4.2.4.zip. Note all the extra return() calls.
Upstream commit: https://github.com/GrahamDumpleton/mod_wsgi/commit/545354a80b9cc20d8b6916ca30542eab36c3b8bd
CVE request: http://www.openwall.com/lists/oss-security/2014/06/19/7
Red Hat Update Infrastructure 2.1.3 is now in Production 2 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Update Infrastructure Life Cycle: https://access.redhat.com/support/policy/updates/rhui.
CVE-2014-8583 was assigned to this issue: http://seclists.org/oss-sec/2014/q4/519
Statement: This issue affects the versions of mod_wsgi as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.