Executive Summary
| Summary | |
|---|---|
| Title | mod_python security update |
| Informations | |||
|---|---|---|---|
| Name | RHSA-2005:100 | First vendor Publication | 2005-02-15 |
| Vendor | RedHat | Last vendor Modification | 2005-02-15 |
| Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 7.5 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Problem Description: An updated mod_python package that fixes a security issue in the publisher handle is now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Problem description: Mod_python is a module that embeds the Python language interpreter within the Apache web server, allowing handlers to be written in Python. Graham Dumpleton discovered a flaw affecting the publisher handler of mod_python, used to make objects inside modules callable via URL. A remote user could visit a carefully crafted URL that would gain access to objects that should not be visible, leading to an information leak. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0088 to this issue. Users of mod_python are advised to upgrade to this updated package, which contains a backported patch to correct this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/): 146657 - CAN-2005-0088 mod_python information leak |
Original Source
| Url : https://rhn.redhat.com/errata/RHSA-2005-100.html |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:10617 | |||
| Oval ID: | oval:org.mitre.oval:def:10617 | ||
| Title: | SpamAssassin before 3.1.3, when running with vpopmail and the paranoid (-P) switch, allows remote attackers to execute arbitrary commands via a crafted message that is not properly handled when invoking spamd with the virtual pop username. | ||
| Description: | The publisher handler for mod_python 2.7.8 and earlier allows remote attackers to obtain access to restricted objects via a crafted URL. | ||
| Family: | unix | Class: | vulnerability |
| Reference(s): | CVE-2005-0088 | Version: | 5 |
| Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2009-10-10 | Name : SLES9: Security update for apache2-mod_python File : nvt/sles9p5015654.nasl |
| 2009-10-10 | Name : SLES9: Security update for mod_python File : nvt/sles9p5015829.nasl |
| 2008-09-24 | Name : Gentoo Security Advisory GLSA 200502-14 (mod_python) File : nvt/glsa_200502_14.nasl |
| 2008-09-04 | Name : FreeBSD Ports: mod_python File : nvt/freebsd_mod_python.nasl |
| 2008-01-17 | Name : Debian Security Advisory DSA 689-1 (libapache-mod-python) File : nvt/deb_689_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 13711 | Apache mod_python publisher.py Traversal Arbitrary Object Information Disclosure Mod_python contains a flaw that may lead to an unauthorized information disclosure. Â The issue is triggered when an attacker sends a specially crafted url, which may disclose arbitrary object information such as published object names, resulting in a loss of confidentiality. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_9905.nasl - Type : ACT_GATHER_INFO |
| 2006-01-15 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-80-1.nasl - Type : ACT_GATHER_INFO |
| 2005-07-13 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_5192e7ca7d4f11d9a9e70001020eed82.nasl - Type : ACT_GATHER_INFO |
| 2005-02-23 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-689.nasl - Type : ACT_GATHER_INFO |
| 2005-02-22 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2005-100.nasl - Type : ACT_GATHER_INFO |
| 2005-02-14 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200502-14.nasl - Type : ACT_GATHER_INFO |
| 2005-02-10 | Name : The remote Fedora Core host is missing a security update. File : fedora_2005-139.nasl - Type : ACT_GATHER_INFO |
| 2005-02-10 | Name : The remote Fedora Core host is missing a security update. File : fedora_2005-140.nasl - Type : ACT_GATHER_INFO |
| 2005-02-10 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2005-104.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:49:01 |
|
