Bugtraq mailing list archives
[ GLSA 200401-03 ] Apache mod_python Denial of Service vulnerability
From: Tim Yamin <plasmaroo () gentoo org>
Date: Tue, 27 Jan 2004 16:41:33 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200401-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ~ http://security.gentoo.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ~ Severity: Low ~ Title: Apache mod_python Denial of Service vulnerability ~ Date: January 27, 2004 ~ Bugs: #39154 ~ ID: 200401-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Apache's mod_python module could crash the httpd process if a specific, malformed query string was sent. Background ========== Mod_python is an Apache module that embeds the Python interpreter within the server allowing Python-based web-applications to be created. Description =========== The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released. Users of mod_python 3.0.4 are not affected by this vulnerability. Impact ====== Although there are no known public exploits known for this exploit, users are recommended to upgrade mod_python to ensure the security of their infrastructure. Workaround ========== Mod_python 2.7.10 has been released [ the release announcement is at http://www.modpython.org/pipermail/mod_python/2004-January/014879.html ] to solve this issue; there is no immediate workaround. Resolution ========== All users using mod_python 2.7.9 or below are recommended to update their mod_python installation: ~ $> emerge sync ~ $> emerge -pv ">=dev-python/mod_python-2.7.10" ~ $> emerge ">=dev-python/mod_python-2.7.10" ~ $> /etc/init.d/apache restart Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security () gentoo org or alternatively, you may file a bug at http://bugs.gentoo.org. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAFpSuMMXbAy2b2EIRAosaAJ9vyF9mDggAbRlQUOPfqQ5Wu4T8NACeJS+P h5LFlGViEl++SGHuymtgwWE= =YT2+ -----END PGP SIGNATURE-----
Current thread:
- [ GLSA 200401-03 ] Apache mod_python Denial of Service vulnerability Tim Yamin (Jan 27)