Bugzilla – Bug 903961
VUL-0: CVE-2014-8583: apache2-mod_wsgi: failure to handle errors when attempting to drop group privileges
Last modified: 2015-03-27 02:45:28 UTC
rh#1111034 It was reported that mod_wsgi failed to handle errors when attempting to drop group privileges. An error would be printed, but mod_wsgi would continue running with root group privileges. This issue has been fixed in the 4.2.4 release: http://modwsgi.readthedocs.org/en/latest/release-notes/version-4.2.4.html SLE 12, openSUSE 13.2 and openSUSE Factory don't seem to be affected. References: https://bugzilla.redhat.com/show_bug.cgi?id=1111034 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8583 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8583 http://seclists.org/oss-sec/2014/q2/545 http://seclists.org/oss-sec/2014/q2/555
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-11-20. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/59587
Moving to the engineering team
Packages submitted for SLES11 (SP2 and SP3). openSUSE 12.3 and 13.1 submitted as well (maintenance request 263092) Re-assign to security team to write the patchinfos and tracking.
SUSE-SU-2014:1572-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 903961 CVE References: CVE-2014-8583 Sources used: SUSE Cloud 4 (src): apache2-mod_wsgi-3.3-5.7.1 SUSE Cloud 3 (src): apache2-mod_wsgi-3.3-5.7.1
released
openSUSE-SU-2014:1590-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 903961 CVE References: CVE-2014-8583 Sources used: openSUSE 13.1 (src): apache2-mod_wsgi-3.4-2.28.1 openSUSE 12.3 (src): apache2-mod_wsgi-3.3-12.8.1
SUSE-SU-2014:1572-2: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 903961 CVE References: CVE-2014-8583 Sources used: SUSE Manager Server (src): apache2-mod_wsgi-3.3-5.7.1 SUSE Manager Proxy 1.7 for SLE 11 SP2 (src): apache2-mod_wsgi-3.3-5.7.1 SUSE Manager Proxy (src): apache2-mod_wsgi-3.3-5.7.1 SUSE Manager 1.7 for SLE 11 SP2 (src): apache2-mod_wsgi-3.3-5.7.1
SUSE-RU-2015:0611-1: An update that solves 8 vulnerabilities and has 123 fixes is now available. Category: recommended (important) Bug References: 653265,767279,808947,841731,855389,858971,860299,862408,867836,870159,872029,872298,872351,875231,875452,878550,878553,879904,879992,879998,880001,880022,880026,880027,880081,880087,880327,880388,880936,881111,881225,881522,881711,882468,883009,883057,883379,883487,884051,884081,884350,884366,885889,886391,886421,887538,887879,889363,889605,889721,889739,889905,892707,892711,893608,895001,895961,896029,896109,896238,896244,896254,896844,897723,898242,898426,898428,899266,900956,901058,901108,901193,901675,901776,901927,901928,901958,902182,902373,902494,902503,902915,903064,903720,903723,903880,903961,904690,904699,904703,904732,904841,904959,905072,905263,905530,906850,906851,906887,907086,907106,907337,907527,907586,907643,907645,907646,907677,907809,908317,908320,908849,909724,910243,910482,910494,911166,911180,911272,911808,912035,912057,912886,913215,913221,913939,914260,914437,914900,915140,919448 CVE References: CVE-2014-0114,CVE-2014-0240,CVE-2014-0242,CVE-2014-3654,CVE-2014-7811,CVE-2014-7812,CVE-2014-8583,CVE-2014-9130 Sources used: SUSE Manager Server (src): apache2-mod_wsgi-3.3-5.7.17, auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58, cobbler-2.2.2-0.54.9, google-gson-2.2.4-0.7.52, libyaml-0.1.3-0.10.16.11, oracle-config-1.1-0.10.10.16, osad-5.11.33.7-0.7.16, perl-Class-Singleton-1.4-4.13.38, perl-NOCpulse-Object-1.26.13.2-0.7.13, perl-Satcon-1.20.2-0.7.6, postgresql91-9.1.15-0.3.1, pxe-default-image-0.1-0.20.56, python-enum34-1.0-0.7.33, python-gzipstream-1.10.2.2-0.7.6, rhn-custom-info-5.4.22.6-0.7.13, rhnlib-2.5.69.6-0.7.6, rhnmd-5.3.18.4-0.7.15, rhnpush-5.5.71.7-0.7.16, sm-ncc-sync-data-2.1.9-0.7.6, smdba-1.5.1-0.7.6, spacecmd-2.1.25.7-0.7.9, spacewalk-admin-2.1.2.4-0.7.6, spacewalk-backend-2.1.55.15-0.7.11, spacewalk-branding-2.1.33.10-0.7.16, spacewalk-certs-tools-2.1.6.5-0.7.10, spacewalk-client-tools-2.1.16.6-0.7.9, spacewalk-config-2.1.5.4-0.7.15, spacewalk-doc-indexes-2.1.2.3-0.7.26, spacewalk-java-2.1.165.14-0.7.16, spacewalk-reports-2.1.14.8-0.7.10, spacewalk-search-2.1.14.6-0.7.18, spacewalk-setup-2.1.14.9-0.7.6, spacewalk-setup-jabberd-2.1.0.2-0.7.6, spacewalk-utils-2.1.27.12-0.7.25, spacewalk-web-2.1.60.12-0.7.7, spacewalksd-5.0.14.6-0.7.15, struts-1.2.9-162.33.22, supportutils-plugin-susemanager-1.0.3-0.5.5, supportutils-plugin-susemanager-client-1.0.4-0.5.5, suseRegisterInfo-2.1.9-0.7.29, susemanager-2.1.17-0.7.11, susemanager-jsp_en-2.1-0.15.23, susemanager-manuals_en-2.1-0.15.24, susemanager-schema-2.1.50.11-0.7.8, susemanager-sync-data-2.1.5-0.7.6, tanukiwrapper-3.2.3-0.10.12, yum-3.2.29-0.19.30, zypp-plugin-spacewalk-0.9.8-0.15.51