quetz-mod_python-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gregory (Grisha) Trubetskoy" <gri...@apache.org>
Subject Re: Ubuntu mod_python security notice.
Date Wed, 07 Mar 2007 20:03:27 GMT

I wonder if the issue is that we don't make it very clear how to report a 
security issue if one is found?

Grisha

On Wed, 7 Mar 2007, Graham Dumpleton wrote:

> Just saw this:
>
> http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2007-03/msg00076.html
> http://www.securityfocus.com/archive/1/462050
>
> ===========================================================
> Ubuntu Security Notice USN-430-1 March 06, 2007
> libapache2-mod-python vulnerability
> CVE-2004-2680
> ===========================================================
>
> Miles Egan discovered that mod_python, when used in output filter mode,
> did not handle output larger than 16384 bytes, and would display freed
> memory, possibly disclosing private data. Thanks to Jim Garrison of the
> Software Freedom Law Center for identifying the original bug as a
> security vulnerability.
>
> Would have been nice if they had bothered to actually tell someone
> involved with mod_python about it in case the problem still affects
> current version of mod_python. Now we have to work out if it is
> relevant to newer versions of not.
>
> This is something new isn't it???
>
> Graham
>

Mime
View raw message