oss-sec mailing list archives
Re: CVE request: mod_wsgi group privilege dropping [was Re: [oss-security] Security release for mod_wsgi (version 3.5)]
From: cve-assign () mitre org
Date: Tue, 4 Nov 2014 05:38:47 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
https://github.com/GrahamDumpleton/mod_wsgi/commit/545354a80b9cc20d8b6916ca30542eab36c3b8bd
When there is any sort of error in setting up daemon process group, kill the process rather than risk running in an unexpected state.
Use CVE-2014-8583.
https://github.com/GrahamDumpleton/mod_wsgi/commit/a8ac5027f1a887cd41e80616b8a80a442a7e0bc7
Fix one off error when checking limit on the number of supplementary groups for the daemon process group.
This doesn't seem to cross privilege boundaries; there's no way for untrusted users to specify the supplementary groups. Incidentally, when there's a statement such as "I am not familiar enough to know whether any privilege boundaries are crossed here, or if a user can influence anything" in a CVE request message, it's probably useful to be even more explicit about what parts of the message that statement applies to. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUWKvqAAoJEKllVAevmvmsziQH/RNG4k2x6qRK4bvS2TU4AQj+ GkRIIvHxIV3TOnkPiP1B+c46LetJBz5H1wGU8MVGMVdLgddEJGzA8CNzY/qycQRo wdUNpuO73gnqbpjsOVKnY1NWK0efnmBF0ZKUdGksJBzmuAmxMPF+VrTPbcK82dce biwnD/wFdbNQM5FSBmQuhZTM85s3EmatxY+hp84FtLhB2IC/k2/6dki21dAOIdjq HYEMktmitpDq5fpWJoi9Xs7iXMiTwBzXlVJu2Q09fVR1AdUjbsIYn7xG+jVVji4b SrSiTThI1HvKHgbnYr5OjoMQe1ksRL3H1QRwgpXT8nlmsX+eyi9Ea6wa4Em+IXY= =T37i -----END PGP SIGNATURE-----
Current thread:
- Re: CVE request: mod_wsgi group privilege dropping [was Re: [oss-security] Security release for mod_wsgi (version 3.5)] cve-assign (Nov 04)