Debian DSA-2937-1 : mod-wsgi - security update

Medium Nessus Plugin ID 74197

Synopsis

The remote Debian host is missing a security-related update.

Description

Two security issues have been found in the Python WSGI adapter module for Apache :

- CVE-2014-0240 Robert Kisteleki discovered a potential privilege escalation in daemon mode. This is not exploitable with the kernel used in Debian 7.0/wheezy.

- CVE-2014-0242 Buck Golemon discovered that incorrect memory handling could lead to information disclosure when processing Content-Type headers.

Solution

Upgrade the mod-wsgi packages.

For the oldstable distribution (squeeze), these problems have been fixed in version 3.3-2+deb6u1.

For the stable distribution (wheezy), these problems have been fixed in version 3.3-4+deb7u1.

See Also

https://security-tracker.debian.org/tracker/CVE-2014-0240

https://security-tracker.debian.org/tracker/CVE-2014-0242

https://packages.debian.org/source/squeeze/mod-wsgi

https://packages.debian.org/source/wheezy/mod-wsgi

https://www.debian.org/security/2014/dsa-2937

Plugin Details

Severity: Medium

ID: 74197

File Name: debian_DSA-2937.nasl

Version: 1.5

Type: local

Agent: unix

Published: 2014/05/28

Updated: 2018/11/28

Dependencies: 12634

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 6.2

Temporal Score: 4.6

Vector: CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:mod-wsgi, cpe:/o:debian:debian_linux:6.0, cpe:/o:debian:debian_linux:7.0

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2014/05/27

Reference Information

CVE: CVE-2014-0240, CVE-2014-0242

BID: 67532, 67534

DSA: 2937