[mod_python] [ANNOUNCE] Mod_python 3.1.4 and 2.7.11 (security)

Graham Dumpleton grahamd at dscpl.com.au
Sat Feb 12 23:27:15 EST 2005


As an emergency workaround for this problem if one cannot get your 
mod_python
installation fixed/updated quickly, add the following into your main 
Apache
configuration file and then restart Apache.

   <LocationMatch ".*[/.]func_.*">
   deny from all
   </LocationMatch>

This will prevent the vulnerability being accessed.

I note that some of the discussion which was going on about what the 
issue was
has been posted on public Internet sites, including an example URL for 
what is
some of the information which could be had. Since that is available, 
see no
problem posting this information here. :-(

Also note that it looks like some Linux distributions have not used the 
latest
patch which was put up to solve the problem and it has introduced 
another
potential issue. You are thus encouraged to use the version being 
provided on
the mod_python site which is correct.

Graham

On 13/02/2005, at 2:00 PM, Gregory (Grisha) Trubetskoy wrote:

>
> The Apache Software Foundation and The Apache HTTP Server Project are 
> pleased to announce the release of versions 3.1.4 and 2.7.11 of 
> mod_python.
>
> This release addresses a vulnerability in mod_python's publisher 
> handler whereby a carefully crafted URL would expose objects that 
> should not be visible, leading to an information leak. The Common 
> Vulnerabilities and Exposures project (http://cve.mitre.org/) has 
> assigned the name CAN-2005-0088 to this issue.
>
> Users of the publisher handler are urged to upgrade as soon as 
> possible.
>
> There are no other changes or improvements from the previous version in
> this release.
>
> At this point the new version is only available as a source code 
> archive.
> Users of mod_python on Win32 platform can update their installation by 
> simply replacing the publisher.py file with the latest version from 
> the source code archive.
>
> Mod_python is available for download from:
>
> http://httpd.apache.org/modules/python-download.cgi
>
> For more information about mod_python visit
> http://www.modpython.org/
>
> Regards,
>
> Grisha Trubetskoy
>
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python



More information about the Mod_python mailing list