mod_wsgi: Privilege escalation — GLSA 201612-49

A vulnerability in mod_wsgi could lead to privilege escalation.

Affected packages

www-apache/mod_wsgi on all architectures
Affected versions < 4.3.0
Unaffected versions >= 4.3.0

Background

mod_wsgi is an Apache2 module for running Python WSGI applications.

Description

mod_wsgi, when creating a daemon process group, does not properly handle dropping group privileges.

Impact

Context-dependent attackers could escalate privileges due to the improper handling of group privileges.

Workaround

There is no known workaround at this time.

Resolution

All mod_wsgi users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-apache/mod_wsgi-4.3.0"
 

References

Release date
December 30, 2016

Latest revision
December 30, 2016: 1

Severity
normal

Exploitable
local, remote

Bugzilla entries