Mandriva Linux Security Advisory : apache-mod_wsgi (MDVSA-2014:137)
Medium Nessus Plugin ID 76481
SynopsisThe remote Mandriva Linux host is missing a security update.
DescriptionMultiple vulnerabilities has been discovered and corrected in apache-mod_wsgi :
It was found that mod_wsgi did not properly drop privileges if the call to setuid\(\) failed. If mod_wsgi was set up to allow unprivileged users to run WSGI applications, a local user able to run a WSGI application could possibly use this flaw to escalate their privileges on the system (CVE-2014-0240).
It was discovered that mod_wsgi could leak memory of a hosted web application via the Content-Type header. A remote attacker could possibly use this flaw to disclose limited portions of the web application's memory (CVE-2014-0242).
The updated packages have been patched to correct these issues.
SolutionUpdate the affected apache-mod_wsgi package.