Content-Disposition: inline ============================================================================ Ubuntu Security Notice USN-2222-1 May 26, 2014 mod-wsgi vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS - Ubuntu 13.10 - Ubuntu 12.04 LTS Summary: mod_wsgi could be made to run programs as an administrator if it executes a specially crafted file. mod_wsgi could be made to expose sensitive information over the network. Software Description: - mod-wsgi: Python WSGI adapter module for Apache Details: R=F3bert Kisteleki discovered mod_wsgi incorrectly checked setuid return values. A malicious application could use this issue to cause a local privilege escalation when using daemon mode. (CVE-2014-0240) Buck Golemon discovered that mod_wsgi used memory that had been freed. A remote attacker could use this issue to read process memory via the Content-Type response header. This issue only affected Ubuntu 12.04 LTS. (CVE-2014-0242) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: libapache2-mod-wsgi 3.4-4ubuntu2.1.14.04.1 libapache2-mod-wsgi-py3 3.4-4ubuntu2.1.14.04.1 Ubuntu 13.10: libapache2-mod-wsgi 3.4-4ubuntu2.1.13.10.1 libapache2-mod-wsgi-py3 3.4-4ubuntu2.1.13.10.1 Ubuntu 12.04 LTS: libapache2-mod-wsgi 3.3-4ubuntu0.1 libapache2-mod-wsgi-py3 3.3-4ubuntu0.1 After a standard system update you need to restart apache2 to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2222-1 CVE-2014-0240, CVE-2014-0242 Package Information: https://launchpad.net/ubuntu/+source/mod-wsgi/3.4-4ubuntu2.1.14.04.1 https://launchpad.net/ubuntu/+source/mod-wsgi/3.4-4ubuntu2.1.13.10.1 https://launchpad.net/ubuntu/+source/mod-wsgi/3.3-4ubuntu0.1