|
Graham Dumpleton
grahamd at dscpl.com.au
Sat Feb 12 23:27:15 EST 2005
As an emergency workaround for this problem if one cannot get your mod_python installation fixed/updated quickly, add the following into your main Apache configuration file and then restart Apache. <LocationMatch ".*[/.]func_.*"> deny from all </LocationMatch> This will prevent the vulnerability being accessed. I note that some of the discussion which was going on about what the issue was has been posted on public Internet sites, including an example URL for what is some of the information which could be had. Since that is available, see no problem posting this information here. :-( Also note that it looks like some Linux distributions have not used the latest patch which was put up to solve the problem and it has introduced another potential issue. You are thus encouraged to use the version being provided on the mod_python site which is correct. Graham On 13/02/2005, at 2:00 PM, Gregory (Grisha) Trubetskoy wrote: > > The Apache Software Foundation and The Apache HTTP Server Project are > pleased to announce the release of versions 3.1.4 and 2.7.11 of > mod_python. > > This release addresses a vulnerability in mod_python's publisher > handler whereby a carefully crafted URL would expose objects that > should not be visible, leading to an information leak. The Common > Vulnerabilities and Exposures project (http://cve.mitre.org/) has > assigned the name CAN-2005-0088 to this issue. > > Users of the publisher handler are urged to upgrade as soon as > possible. > > There are no other changes or improvements from the previous version in > this release. > > At this point the new version is only available as a source code > archive. > Users of mod_python on Win32 platform can update their installation by > simply replacing the publisher.py file with the latest version from > the source code archive. > > Mod_python is available for download from: > > http://httpd.apache.org/modules/python-download.cgi > > For more information about mod_python visit > http://www.modpython.org/ > > Regards, > > Grisha Trubetskoy > > _______________________________________________ > Mod_python mailing list > Mod_python at modpython.org > http://mailman.modpython.org/mailman/listinfo/mod_python
|