1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
5 |
Gentoo Linux Security Advisory GLSA 200401-03 |
6 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
7 |
~ http://security.gentoo.org |
8 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
9 |
|
10 |
~ Severity: Low |
11 |
~ Title: Apache mod_python Denial of Service vulnerability |
12 |
~ Date: January 27, 2004 |
13 |
~ Bugs: #39154 |
14 |
~ ID: 200401-03 |
15 |
|
16 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
17 |
|
18 |
Synopsis |
19 |
======== |
20 |
|
21 |
Apache's mod_python module could crash the httpd process if a specific, |
22 |
malformed query string was sent. |
23 |
|
24 |
Background |
25 |
========== |
26 |
|
27 |
Mod_python is an Apache module that embeds the Python interpreter within |
28 |
the server allowing Python-based web-applications to be created. |
29 |
|
30 |
Description |
31 |
=========== |
32 |
|
33 |
The Apache Foundation has reported that mod_python may be prone to |
34 |
Denial of Service attacks when handling a malformed query. Mod_python |
35 |
2.7.9 was released to fix the vulnerability, however, because the |
36 |
vulnerability has not been fully fixed, version 2.7.10 has been released. |
37 |
|
38 |
Users of mod_python 3.0.4 are not affected by this vulnerability. |
39 |
|
40 |
Impact |
41 |
====== |
42 |
|
43 |
Although there are no known public exploits known for this exploit, |
44 |
users are recommended to upgrade mod_python to ensure the security of |
45 |
their infrastructure. |
46 |
|
47 |
Workaround |
48 |
========== |
49 |
|
50 |
Mod_python 2.7.10 has been released [ the release announcement is at |
51 |
http://www.modpython.org/pipermail/mod_python/2004-January/014879.html ] |
52 |
to solve this issue; there is no immediate workaround. |
53 |
|
54 |
Resolution |
55 |
========== |
56 |
|
57 |
All users using mod_python 2.7.9 or below are recommended to update |
58 |
their mod_python installation: |
59 |
|
60 |
~ $> emerge sync |
61 |
~ $> emerge -pv ">=dev-python/mod_python-2.7.10" |
62 |
~ $> emerge ">=dev-python/mod_python-2.7.10" |
63 |
~ $> /etc/init.d/apache restart |
64 |
|
65 |
Concerns? |
66 |
========= |
67 |
|
68 |
Security is a primary focus of Gentoo Linux and ensuring the |
69 |
confidentiality and security of our users machines is of utmost |
70 |
importance to us. Any security concerns should be addressed to |
71 |
security@g.o or alternatively, you may file a bug at |
72 |
http://bugs.gentoo.org. |
73 |
-----BEGIN PGP SIGNATURE----- |
74 |
Version: GnuPG v1.2.1 (GNU/Linux) |
75 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
76 |
|
77 |
iD8DBQFAFpSuMMXbAy2b2EIRAosaAJ9vyF9mDggAbRlQUOPfqQ5Wu4T8NACeJS+P |
78 |
h5LFlGViEl++SGHuymtgwWE= |
79 |
=YT2+ |
80 |
-----END PGP SIGNATURE----- |