Ubuntu closes old hole in the Apache module mod_python
By exploiting a vulnerability in the Apache2 module mod_python, attackers may possibly have access to sensitive data on the server. The bug is related to the output filter of the module, which accesses and displays freed memory when too many data have to be processed (more than 16,384).
Although this problem has been known since April 2004, it seems that not everybody has realized its significance. In a current security advisory Ubuntu thanks Jim Garrison from the Software Freedom Law Center for having realized the security risk related to the bug. New Ubuntu packages will now, finally, fix the bug.
This problem is also reported as a "new" problem for the issue tracking system of the distribution rPath, but reference is made to the old patch. According to rPath, a solution for the problem will be available from March 15. It is not known which other Linux distributors are also affected.
Although a CVE entry already suspects that security problems might arise, it is unclear why it took nearly three years to confirm the problem; neither is it clear, why the patch, be it security-relevant or not, has not been integrated into the official version before version 3.1.4.
- libapache2-mod-python vulnerability, Ubuntu security advisory
- buffer leak in output filter, security advisory on launchpad