Ubuntu
mod-wsgi package

CVE 2014-0240 and CVE 2014-0242

  1. Utopic (14.10)
  2. Bug #1322338
Bug #1322338 reported by Felix Geyer
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mod-wsgi (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned
Saucy
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
Utopic
Fix Released
Undecided
Unassigned

Bug Description

Two vulnerabilities have been discovered in mod-wsgi:
http://blog.dscpl.com.au/2014/05/security-release-for-modwsgi-version-35.html

CVE-2014-0240 affects all Ubuntu releases.
CVE-2014-0242 affects <= precise.

Revision history for this message
Felix Geyer (debfx) wrote :

mod-wsgi 3.5-1 can be synced to utopic. Despite the version there are no source differences in Ubuntu.

Revision history for this message
Felix Geyer (debfx) wrote :

debdiff for trusty attached.
The same can be applied to saucy.

Revision history for this message
Felix Geyer (debfx) wrote :

debdiff for precise attached

Marc Deslauriers (mdeslaur)
Changed in mod-wsgi (Ubuntu Precise):
status: New → Confirmed
Changed in mod-wsgi (Ubuntu Saucy):
status: New → Confirmed
Changed in mod-wsgi (Ubuntu Trusty):
status: New → Confirmed
Changed in mod-wsgi (Ubuntu Utopic):
status: New → Confirmed
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Looks good to me, but I moved the "- LP: #1322338" annotation to after the SECURITY UPDATE line in the format "(LP: #1322338)" instead. I'll release this Monday.

Thanks Felix

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mod-wsgi - 3.4-4ubuntu2.1.14.04.1

---------------
mod-wsgi (3.4-4ubuntu2.1.14.04.1) trusty-security; urgency=medium

  * SECURITY UPDATE: Fix possibility of local privilege escalation when
    using daemon mode. (LP: #1322338)
    - Only systems running kernel versions >= 2.6 and < 3.1 are affected.
    - CVE-2014-0240
    - debian/patches/CVE-2014-0240.patch: backport upstream commit
 -- Felix Geyer <email address hidden> Thu, 22 May 2014 22:32:39 +0200

Changed in mod-wsgi (Ubuntu Trusty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mod-wsgi - 3.4-4ubuntu2.1.13.10.1

---------------
mod-wsgi (3.4-4ubuntu2.1.13.10.1) saucy-security; urgency=medium

  * SECURITY UPDATE: Fix possibility of local privilege escalation when
    using daemon mode. (LP: #1322338)
    - Only systems running kernel versions >= 2.6 and < 3.1 are affected.
    - CVE-2014-0240
    - debian/patches/CVE-2014-0240.patch: backport upstream commit
 -- Felix Geyer <email address hidden> Thu, 22 May 2014 22:32:39 +0200

Changed in mod-wsgi (Ubuntu Saucy):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mod-wsgi - 3.3-4ubuntu0.1

---------------
mod-wsgi (3.3-4ubuntu0.1) precise-security; urgency=medium

  * SECURITY UPDATE: Fix possibility of local privilege escalation when
    using daemon mode. (LP: #1322338)
    - Only systems running kernel versions >= 2.6 and < 3.1 are affected.
    - CVE-2014-0240
    - debian/patches/CVE-2014-0240.patch: backport upstream commit
  * SECURITY UPDATE: Fix possibility of disclosure via Content-Type response
    header.
    - CVE-2014-0242
    - debian/patches/CVE-2014-0242.patch: backport upstream commit
 -- Felix Geyer <email address hidden> Thu, 22 May 2014 22:42:28 +0200

Changed in mod-wsgi (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Felix Geyer (debfx) wrote :

3.5 has been synced to utopic, see bug #1323041

Changed in mod-wsgi (Ubuntu Utopic):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.