Bug 14720

Summary: apache-mod_wsgi new security issue CVE-2014-8583
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: olchal, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/624315/
Whiteboard: has_procedure mga4-32-ok MGA4-64-OK advisory
Source RPM: apache-mod_wsgi-3.5-1.1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-12-03 19:29:05 CET 
Ubuntu has issued an advisory today (December 3):
http://www.ubuntu.com/usn/usn-2431-1/

Cauldron is not affected as it was fixed upstream in 4.2.4 (we have 4.2.6).

Patched package uploaded for Mageia 4.

You can find information about testing this in our previous update, Bug 13831.

Advisory:
========================

Updated apache-mod_wsgi package fixes security vulnerability:

It was discovered that mod_wsgi incorrectly handled errors when setting up
the working directory and group access rights. A malicious application
could possibly use this issue to cause a local privilege escalation when
using daemon mode (CVE-2014-8583).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8583
http://www.ubuntu.com/usn/usn-2431-1/
========================

Updated packages in core/updates_testing:
========================
apache-mod_wsgi-3.5-1.2.mga4

from apache-mod_wsgi-3.5-1.2.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 olivier charles 2014-12-03 22:09:06 CET 
Testing on Mageia4x64 

Following procedure mentionned in Description (which contains 2 examples)

Current package :
-------------------- 
apache-mod_wsgi-3.5-1.1.mga4.x86_64

The 2 WSGI applications worked well

Updated testing package :
-----------------------
apache-mod_wsgi-3.5-1.2.mga4.x86_64

Restarted httpd service

Both WSGI applications ran as expected.

CC: (none) => olchal
Whiteboard: (none) => MGA4-64-OK

Comment 2 claire robinson 2014-12-05 16:33:53 CET 
Testing complete mga4 32 with helloworld from
https://bugs.mageia.org/show_bug.cgi?id=13831#c6

Whiteboard: MGA4-64-OK => has_procedure mga4-32-ok MGA4-64-OK

Comment 3 RĂ©mi Verschelde 2014-12-05 16:55:37 CET 
Validating, advisory uploaded.

Please push to core/updates.

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-32-ok MGA4-64-OK => has_procedure mga4-32-ok MGA4-64-OK advisory
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2014-12-05 18:00:00 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0513.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED