Bugzilla – Bug 49115
VUL-0: CVE-2004-0096: mod_python: query string can crash apache
Last modified: 2021-09-30 15:17:49 UTC
Date: Fri, 23 Jan 2004 12:46:55 +0100 From: Peter Poeml <poeml@suse.de> Reply-To: security-team@suse.de To: security-team@suse.de Subject: [security-team] (forw) [ANNOUNCE] Mod_python 2.7.10 Parts/Attachments: 1.1 Shown ~11 lines Text 1.2 Shown 2.9 KB Message, "[ANNOUNCE] Mod_python 2.7.10" 1.2.1 Shown 34 lines Text 2 205 bytes Application ---------------------------------------- Hi, This should affect us. We have version 2.7.8 everywhere. (sles8 and box) We can do a version update to 2.7.10. Peter -- Thought is limitation. Free your mind. [ Part 1.2: "Included Message" ] Date: Thu, 22 Jan 2004 19:14:15 -0500 (EST) From: "Gregory (Grisha) Trubetskoy" <grisha@apache.org> To: announce@httpd.apache.org, mod_python@modpython.org Cc: python-dev@httpd.apache.org Newsgroups: comp.lang.python Subject: [ANNOUNCE] Mod_python 2.7.10 The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of version 2.7.10 of mod_python. This release addresses a vulnerability in mod_python 2.7.9 whereby a specific query string processed by mod_python would cause the httpd rocess to crash. The previously released version 2.7.9 was supposed to correct this issue, but is still vulnerable. There are no other changes or improvements from the previous version in this release. If you are currently using mod_python 2.7.9 or earlier, it is highly recommended that you upgrade to 2.7.10 as soon as possible. If you are using mod_python 3.0.4, no action is necessary. Mod_python is available for download from: http://httpd.apache.org/modules/python-download.cgi For more information about mod_python visit http://www.modpython.org/ Regards, Grisha Trubetskoy
<!-- SBZ_reproduce --> -
Created attachment 15735 [details] patchinfo-box.modpython
Created attachment 15736 [details] patchinfo.modpython
Created attachment 15929 [details] Proposed patch (diff between mod_python-2.7 patchlevel 8 and 10)
I recommend to update all mod_python packages to 2.7.10. We have 2.7.8 in all packages, because we previously updated all packages to that version/patchlevel. As compared to 2.7.8, 2.7.10 contains only the fix, updated HTML documentation, and one hunk defining the LONG_LONG which disappeared in Python 2.3. The latter hunk is not needed in our packages and we could drop it, but it shouldn't harm. I need the okay from SLES and SUSE Linux project managers. Ralf, please comment; and could you please re-assign to <aj> thereafter?
I forgot to mention, for apache2-mod_python (3.0.3) there is an equivalent patch to 3.0.4. Same situation here. apache2-mod_python is shipped only with SUSE LINUX 9.0.
I have just submitted the patchinfo files.
Comment #7: Stupid mistake -- patchinfo files deleted, since the packages are not even submitted. Status: still waiting for approval on fixing the packages. (work is already done) Let's try Andreas...
The patch looks ok but Ralf has to approve this. NExt time please ask first before doing any work on released products!
The patch looks ok. It is a version update, but if you look at the patch it really only fixes the security issue. Thorsten, could the version update break any dependencies? If so, then we should apply the patch but stay with the version we have. Approval from my side to release this patch.
Thanks. Clarification: I did _not_ work on the released product. No packages are checked in, yet. I only looked at the feasibility of fixing mod_python and built a test package for myself. The rest of the work (fixing the actual packages) is a finger exercise and will take only a few minutes.
Since only apache loads this module and no autobuild package depends on it, we can make whatever we wish, as long as the python interpreter is compatible and apache can load it.
Packages and patchinfo files have been submitted for autobuild. Thomas, I assign to you for further processing.
packages approved (YOU only test).
CVE-2004-0096
CVE-2004-0096: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)