SB2014121304 - Gentoo update for mod_wsgi

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2014121304

SB2014121304 - Gentoo update for mod_wsgi

Published: December 13, 2014 Updated: August 9, 2022

Security Bulletin ID SB2014121304
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2014-0240)

The vulnerability allows a local user to escalate privileges on the system.

The mod_wsgi module before 3.5 for Apache, when daemon mode is enabled, does not properly handle error codes returned by setuid when run on certain Linux kernels, which allows local users to gain privileges via vectors related to the number of running processes.


2) Information disclosure (CVE-ID: CVE-2014-0242)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

mod_wsgi module before 3.4 for Apache, when used in embedded mode, might allow remote attackers to obtain sensitive information via the Content-Type header which is generated from memory that may have been freed and then overwritten by a separate thread.


Remediation

Install update from vendor's website.

References