Package name
apache-mod_wsgi
Date
2014-07-11
Advisory ID
MDVSA-2014:137
Affected versions
MBS1 x86_64

Problem description

Multiple vulnerabilities has been discovered and corrected in
apache-mod_wsgi:

It was found that mod_wsgi did not properly drop privileges if
the call to setuid\(\) failed. If mod_wsgi was set up to allow
unprivileged users to run WSGI applications, a local user able to
run a WSGI application could possibly use this flaw to escalate their
privileges on the system (CVE-2014-0240).

It was discovered that mod_wsgi could leak memory of a hosted web
application via the Content-Type header. A remote attacker could
possibly use this flaw to disclose limited portions of the web
application's memory (CVE-2014-0242).

The updated packages have been patched to correct these issues.

Updated packages

MBS1 x86_64

 b0dab0032790662dce72017097844afb  mbs1/x86_64/apache-mod_wsgi-3.3-7.1.mbs1.x86_64.rpm 
 8f2adb300f9170b623cf4be749a31f60  mbs1/SRPMS/apache-mod_wsgi-3.3-7.1.mbs1.src.rpm

References