Bugzilla – Bug 878553
VUL-0: CVE-2014-0242: apache2-mod_wsgi - Information exposure
Last modified: 2015-03-27 02:42:57 UTC
EMBARGOED, via vs: Could I request a CVE ID for an information exposure in mod_wsgi. The mod_wsgi package is an Apache module for hosting Python web applications. * http://www.modwsgi.org/ This underlying issue was actually identified and previously fixed in version 3.4 (August 2012) of mod_wsgi. See item 7 in: * http://code.google.com/p/modwsgi/wiki/ChangesInVersion0304 7. Response Content-Type header could be corrupted when being sent in multithreaded configuration and embedded mode being used. Problem thus affected Windows and worker MPM on UNIX. At the time it was believed to be relatively benign, only ever having been seen with one specific web application (Trac - http://trac.edgewall.org), with the corrupted value being replaced with a small set of known values which themselves did not raise concerns. A new use case scenario for Python WSGI applications has now been identified which opens this up and which can result in arbitrary corruption of the web server HTTP response Content-Type value, resulting in possible exposure of data from the hosted web application to a HTTP client. The new use case also opens the possibility that the issue can occur with any Apache MPM and not just multithreaded MPMs as previously identified. It is still however restricted to the case where embedded mode of mod_wsgi is being used. As the issue was already fixed in a prior version of mod_wsgi, the purpose of this CVE is to highlight to any distros who still ship mod_wsgi 3.3 or earlier that the issue exists and patches should be backported. The original change made in vesion 3.4 of mod_wsgi to address this issue can be found at: * https://github.com/GrahamDumpleton/mod_wsgi/commit/b0a149c1f5e569932325972e2e20176a42e43517 Thanks. Graham Dumpleton
CVE-2014-0242 has been assigned. Please go ahead with the updates.
Issue public now: http://blog.dscpl.com.au/2014/05/security-release-for-modwsgi-version-35.html
What info do you want? I am missing the question?
openSUSE 12.3 is affected. openSUSE 13.1 and higher not.
Packages submitted for openSUSE as maintenance request 235289
This is an autogenerated message for OBS integration: This bug (878553) was mentioned in https://build.opensuse.org/request/show/235289 13.1+12.3 / apache2-mod_wsgi
openSUSE-SU-2014:0782-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 878550,878553 CVE References: CVE-2014-0240,CVE-2014-0242 Sources used: openSUSE 13.1 (src): apache2-mod_wsgi-3.4-2.8.1 openSUSE 12.3 (src): apache2-mod_wsgi-3.3-12.4.1, apache2-mod_wsgi-3.4-2.8.1
Update released for: apache2-mod_wsgi Products: SUSE-CLOUD 3.0 (x86_64)
SUSE-SU-2014:0794-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 878550,878553 CVE References: CVE-2014-0240,CVE-2014-0242 Sources used: SUSE Cloud 3 (src): apache2-mod_wsgi-3.3-5.5.1
Update released for: apache2-mod_wsgi, apache2-mod_wsgi-debuginfo, apache2-mod_wsgi-debugsource Products: SUSE-MANAGER 1.7 (x86_64) SUSE-MANAGER-PROXY 1.7 (x86_64)
SUSE-SU-2014:0794-2: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 878550,878553 CVE References: CVE-2014-0240,CVE-2014-0242 Sources used: SUSE Manager Proxy 1.7 for SLE 11 SP2 (src): apache2-mod_wsgi-3.3-5.5.1 SUSE Manager 1.7 for SLE 11 SP2 (src): apache2-mod_wsgi-3.3-5.5.1
was released
SUSE-SU-2014:0956-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 878550,878553 CVE References: CVE-2014-0240 Sources used: SUSE Manager Server (src): apache2-mod_wsgi-3.3-5.5.5 SUSE Manager Proxy (src): apache2-mod_wsgi-3.3-5.5.5
SUSE-RU-2015:0611-1: An update that solves 8 vulnerabilities and has 123 fixes is now available. Category: recommended (important) Bug References: 653265,767279,808947,841731,855389,858971,860299,862408,867836,870159,872029,872298,872351,875231,875452,878550,878553,879904,879992,879998,880001,880022,880026,880027,880081,880087,880327,880388,880936,881111,881225,881522,881711,882468,883009,883057,883379,883487,884051,884081,884350,884366,885889,886391,886421,887538,887879,889363,889605,889721,889739,889905,892707,892711,893608,895001,895961,896029,896109,896238,896244,896254,896844,897723,898242,898426,898428,899266,900956,901058,901108,901193,901675,901776,901927,901928,901958,902182,902373,902494,902503,902915,903064,903720,903723,903880,903961,904690,904699,904703,904732,904841,904959,905072,905263,905530,906850,906851,906887,907086,907106,907337,907527,907586,907643,907645,907646,907677,907809,908317,908320,908849,909724,910243,910482,910494,911166,911180,911272,911808,912035,912057,912886,913215,913221,913939,914260,914437,914900,915140,919448 CVE References: CVE-2014-0114,CVE-2014-0240,CVE-2014-0242,CVE-2014-3654,CVE-2014-7811,CVE-2014-7812,CVE-2014-8583,CVE-2014-9130 Sources used: SUSE Manager Server (src): apache2-mod_wsgi-3.3-5.7.17, auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58, cobbler-2.2.2-0.54.9, google-gson-2.2.4-0.7.52, libyaml-0.1.3-0.10.16.11, oracle-config-1.1-0.10.10.16, osad-5.11.33.7-0.7.16, perl-Class-Singleton-1.4-4.13.38, perl-NOCpulse-Object-1.26.13.2-0.7.13, perl-Satcon-1.20.2-0.7.6, postgresql91-9.1.15-0.3.1, pxe-default-image-0.1-0.20.56, python-enum34-1.0-0.7.33, python-gzipstream-1.10.2.2-0.7.6, rhn-custom-info-5.4.22.6-0.7.13, rhnlib-2.5.69.6-0.7.6, rhnmd-5.3.18.4-0.7.15, rhnpush-5.5.71.7-0.7.16, sm-ncc-sync-data-2.1.9-0.7.6, smdba-1.5.1-0.7.6, spacecmd-2.1.25.7-0.7.9, spacewalk-admin-2.1.2.4-0.7.6, spacewalk-backend-2.1.55.15-0.7.11, spacewalk-branding-2.1.33.10-0.7.16, spacewalk-certs-tools-2.1.6.5-0.7.10, spacewalk-client-tools-2.1.16.6-0.7.9, spacewalk-config-2.1.5.4-0.7.15, spacewalk-doc-indexes-2.1.2.3-0.7.26, spacewalk-java-2.1.165.14-0.7.16, spacewalk-reports-2.1.14.8-0.7.10, spacewalk-search-2.1.14.6-0.7.18, spacewalk-setup-2.1.14.9-0.7.6, spacewalk-setup-jabberd-2.1.0.2-0.7.6, spacewalk-utils-2.1.27.12-0.7.25, spacewalk-web-2.1.60.12-0.7.7, spacewalksd-5.0.14.6-0.7.15, struts-1.2.9-162.33.22, supportutils-plugin-susemanager-1.0.3-0.5.5, supportutils-plugin-susemanager-client-1.0.4-0.5.5, suseRegisterInfo-2.1.9-0.7.29, susemanager-2.1.17-0.7.11, susemanager-jsp_en-2.1-0.15.23, susemanager-manuals_en-2.1-0.15.24, susemanager-schema-2.1.50.11-0.7.8, susemanager-sync-data-2.1.5-0.7.6, tanukiwrapper-3.2.3-0.10.12, yum-3.2.29-0.19.30, zypp-plugin-spacewalk-0.9.8-0.15.51