Ubuntu has issued an advisory today (December 3): http://www.ubuntu.com/usn/usn-2431-1/ Cauldron is not affected as it was fixed upstream in 4.2.4 (we have 4.2.6). Patched package uploaded for Mageia 4. You can find information about testing this in our previous update, Bug 13831. Advisory: ======================== Updated apache-mod_wsgi package fixes security vulnerability: It was discovered that mod_wsgi incorrectly handled errors when setting up the working directory and group access rights. A malicious application could possibly use this issue to cause a local privilege escalation when using daemon mode (CVE-2014-8583). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8583 http://www.ubuntu.com/usn/usn-2431-1/ ======================== Updated packages in core/updates_testing: ======================== apache-mod_wsgi-3.5-1.2.mga4 from apache-mod_wsgi-3.5-1.2.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing on Mageia4x64 Following procedure mentionned in Description (which contains 2 examples) Current package : -------------------- apache-mod_wsgi-3.5-1.1.mga4.x86_64 The 2 WSGI applications worked well Updated testing package : ----------------------- apache-mod_wsgi-3.5-1.2.mga4.x86_64 Restarted httpd service Both WSGI applications ran as expected.
CC: (none) => olchalWhiteboard: (none) => MGA4-64-OK
Testing complete mga4 32 with helloworld from https://bugs.mageia.org/show_bug.cgi?id=13831#c6
Whiteboard: MGA4-64-OK => has_procedure mga4-32-ok MGA4-64-OK
Validating, advisory uploaded. Please push to core/updates.
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-32-ok MGA4-64-OK => has_procedure mga4-32-ok MGA4-64-OK advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0513.html
Status: NEW => RESOLVEDResolution: (none) => FIXED