CVE 2014-0240 and CVE 2014-0242

Bug #1322338 reported by Felix Geyer on 2014-05-22
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mod-wsgi (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Saucy
Undecided
Unassigned
Trusty
Undecided
Unassigned
Utopic
Undecided
Unassigned

Bug Description

Two vulnerabilities have been discovered in mod-wsgi:
http://blog.dscpl.com.au/2014/05/security-release-for-modwsgi-version-35.html

CVE-2014-0240 affects all Ubuntu releases.
CVE-2014-0242 affects <= precise.

Felix Geyer (debfx) wrote :

mod-wsgi 3.5-1 can be synced to utopic. Despite the version there are no source differences in Ubuntu.

Felix Geyer (debfx) wrote :

debdiff for trusty attached.
The same can be applied to saucy.

Felix Geyer (debfx) wrote :

debdiff for precise attached

Changed in mod-wsgi (Ubuntu Precise):
status: New → Confirmed
Changed in mod-wsgi (Ubuntu Saucy):
status: New → Confirmed
Changed in mod-wsgi (Ubuntu Trusty):
status: New → Confirmed
Changed in mod-wsgi (Ubuntu Utopic):
status: New → Confirmed
Seth Arnold (seth-arnold) wrote :

Looks good to me, but I moved the "- LP: #1322338" annotation to after the SECURITY UPDATE line in the format "(LP: #1322338)" instead. I'll release this Monday.

Thanks Felix

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mod-wsgi - 3.4-4ubuntu2.1.14.04.1

---------------
mod-wsgi (3.4-4ubuntu2.1.14.04.1) trusty-security; urgency=medium

  * SECURITY UPDATE: Fix possibility of local privilege escalation when
    using daemon mode. (LP: #1322338)
    - Only systems running kernel versions >= 2.6 and < 3.1 are affected.
    - CVE-2014-0240
    - debian/patches/CVE-2014-0240.patch: backport upstream commit
 -- Felix Geyer <email address hidden> Thu, 22 May 2014 22:32:39 +0200

Changed in mod-wsgi (Ubuntu Trusty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mod-wsgi - 3.4-4ubuntu2.1.13.10.1

---------------
mod-wsgi (3.4-4ubuntu2.1.13.10.1) saucy-security; urgency=medium

  * SECURITY UPDATE: Fix possibility of local privilege escalation when
    using daemon mode. (LP: #1322338)
    - Only systems running kernel versions >= 2.6 and < 3.1 are affected.
    - CVE-2014-0240
    - debian/patches/CVE-2014-0240.patch: backport upstream commit
 -- Felix Geyer <email address hidden> Thu, 22 May 2014 22:32:39 +0200

Changed in mod-wsgi (Ubuntu Saucy):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mod-wsgi - 3.3-4ubuntu0.1

---------------
mod-wsgi (3.3-4ubuntu0.1) precise-security; urgency=medium

  * SECURITY UPDATE: Fix possibility of local privilege escalation when
    using daemon mode. (LP: #1322338)
    - Only systems running kernel versions >= 2.6 and < 3.1 are affected.
    - CVE-2014-0240
    - debian/patches/CVE-2014-0240.patch: backport upstream commit
  * SECURITY UPDATE: Fix possibility of disclosure via Content-Type response
    header.
    - CVE-2014-0242
    - debian/patches/CVE-2014-0242.patch: backport upstream commit
 -- Felix Geyer <email address hidden> Thu, 22 May 2014 22:42:28 +0200

Changed in mod-wsgi (Ubuntu Precise):
status: Confirmed → Fix Released
Felix Geyer (debfx) wrote :

3.5 has been synced to utopic, see bug #1323041

Changed in mod-wsgi (Ubuntu Utopic):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers