Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[gentoo-announce] [ GLSA 200401-03 ] Apache mod_python Denial of Service vulnerability
From: Tim Yamin <plasmaroo () gentoo org>
Date: Tue, 27 Jan 2004 16:41:33 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200401-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
~                                            http://security.gentoo.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

~  Severity: Low
~     Title: Apache mod_python Denial of Service vulnerability
~      Date: January 27, 2004
~      Bugs: #39154
~        ID: 200401-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.

Background
==========

Mod_python is an Apache module that embeds the Python interpreter within
the server allowing Python-based web-applications to be created.

Description
===========

The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.

Users of mod_python 3.0.4 are not affected by this vulnerability.

Impact
======

Although there are no known public exploits known for this exploit,
users are recommended to upgrade mod_python to ensure the security of
their infrastructure.

Workaround
==========

Mod_python 2.7.10 has been released [ the release announcement is at
http://www.modpython.org/pipermail/mod_python/2004-January/014879.html ]
to solve this issue; there is no immediate workaround.

Resolution
==========

All users using mod_python 2.7.9 or below are recommended to update
their mod_python installation:

~    $> emerge sync
~    $> emerge -pv ">=dev-python/mod_python-2.7.10"
~    $> emerge ">=dev-python/mod_python-2.7.10"
~    $> /etc/init.d/apache restart

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security () gentoo org or alternatively, you may file a bug at
http://bugs.gentoo.org.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAFpSuMMXbAy2b2EIRAosaAJ9vyF9mDggAbRlQUOPfqQ5Wu4T8NACeJS+P
h5LFlGViEl++SGHuymtgwWE=
=YT2+
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • [gentoo-announce] [ GLSA 200401-03 ] Apache mod_python Denial of Service vulnerability Tim Yamin (Mar 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault