diff -Nru mod-wsgi-3.3/debian/changelog mod-wsgi-3.3/debian/changelog --- mod-wsgi-3.3/debian/changelog 2011-12-03 01:36:52.000000000 +0100 +++ mod-wsgi-3.3/debian/changelog 2014-05-22 22:51:31.000000000 +0200 @@ -1,3 +1,18 @@ +mod-wsgi (3.3-4ubuntu0.1) precise-security; urgency=medium + + * SECURITY UPDATE: Fix possibility of local privilege escalation when + using daemon mode. + - Only systems running kernel versions >= 2.6 and < 3.1 are affected. + - LP: #1322338 + - CVE-2014-0240 + - debian/patches/CVE-2014-0240.patch: backport upstream commit + * SECURITY UPDATE: Fix possibility of disclosure via Content-Type response + header. + - CVE-2014-0242 + - debian/patches/CVE-2014-0242.patch: backport upstream commit + + -- Felix Geyer Thu, 22 May 2014 22:42:28 +0200 + mod-wsgi (3.3-4build1) precise; urgency=low * No-change rebuild to drop spurious libsfgcc1 dependency on armhf. diff -Nru mod-wsgi-3.3/debian/patches/CVE-2014-0240.patch mod-wsgi-3.3/debian/patches/CVE-2014-0240.patch --- mod-wsgi-3.3/debian/patches/CVE-2014-0240.patch 1970-01-01 01:00:00.000000000 +0100 +++ mod-wsgi-3.3/debian/patches/CVE-2014-0240.patch 2014-05-21 22:26:00.000000000 +0200 @@ -0,0 +1,36 @@ +From d9d5fea585b23991f76532a9b07de7fcd3b649f4 Mon Sep 17 00:00:00 2001 +From: Graham Dumpleton +Date: Wed, 21 May 2014 16:16:47 +1000 +Subject: [PATCH] Local privilege escalation when using daemon mode. + (CVE-2014-0240) + +--- + mod_wsgi.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/mod_wsgi.c b/mod_wsgi.c +index 32b2903..3ef911b 100644 +--- a/mod_wsgi.c ++++ b/mod_wsgi.c +@@ -10756,6 +10756,19 @@ static void wsgi_setup_access(WSGIDaemonProcess *daemon) + ap_log_error(APLOG_MARK, WSGI_LOG_ALERT(errno), wsgi_server, + "mod_wsgi (pid=%d): Unable to change to uid=%ld.", + getpid(), (long)daemon->group->uid); ++ ++ /* ++ * On true UNIX systems this should always succeed at ++ * this point. With certain Linux kernel versions though ++ * we can get back EAGAIN where the target user had ++ * reached their process limit. In that case will be left ++ * running as wrong user. Just exit on all failures to be ++ * safe. Don't die immediately to avoid a fork bomb. ++ */ ++ ++ sleep(20); ++ ++ exit(-1); + } + } + +-- +1.9.3 diff -Nru mod-wsgi-3.3/debian/patches/CVE-2014-0242.patch mod-wsgi-3.3/debian/patches/CVE-2014-0242.patch --- mod-wsgi-3.3/debian/patches/CVE-2014-0242.patch 1970-01-01 01:00:00.000000000 +0100 +++ mod-wsgi-3.3/debian/patches/CVE-2014-0242.patch 2014-05-21 22:20:47.000000000 +0200 @@ -0,0 +1,25 @@ +From b0a149c1f5e569932325972e2e20176a42e43517 Mon Sep 17 00:00:00 2001 +From: Graham Dumpleton +Date: Mon, 7 May 2012 13:23:15 +1000 +Subject: [PATCH] Fix bug where content type returned for response could be + corrupted when using embedded mode. + +--- + mod_wsgi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mod_wsgi.c b/mod_wsgi.c +index 45be2bc..71cab77 100644 +--- a/mod_wsgi.c ++++ b/mod_wsgi.c +@@ -3252,7 +3252,7 @@ static int Adapter_output(AdapterObject *self, const char *data, int length, + if (*self->config->process_group) + r->content_type = apr_pstrdup(r->pool, value); + else +- ap_set_content_type(r, value); ++ ap_set_content_type(r, apr_pstrdup(r->pool, value)); + #endif + } + else if (!strcasecmp(name, "Content-Length")) { +-- +1.9.3 diff -Nru mod-wsgi-3.3/debian/patches/series mod-wsgi-3.3/debian/patches/series --- mod-wsgi-3.3/debian/patches/series 2011-10-06 21:38:59.000000000 +0200 +++ mod-wsgi-3.3/debian/patches/series 2014-05-22 22:42:04.000000000 +0200 @@ -1 +1,3 @@ python-3.2-compat.patch +CVE-2014-0240.patch +CVE-2014-0242.patch