--- - branch: MAIN date: Sat Jun 7 07:41:25 UTC 2014 files: - new: '1.17' old: '1.16' path: pkgsrc/www/ap2-wsgi/Makefile pathrev: pkgsrc/www/ap2-wsgi/Makefile@1.17 type: modified - new: '1.11' old: '1.10' path: pkgsrc/www/ap2-wsgi/distinfo pathrev: pkgsrc/www/ap2-wsgi/distinfo@1.11 type: modified id: 20140607T074125Z.98d921cc0897076334f232c0ee16458c8c268890 log: "Update to 3.5:\n\nSecurity Issues\n\n Local privilege escalation when using daemon mode. (CVE-2014-0240)\n\nThe issue is believed to affect Linux systems running kernel versions\n>= 2.6.0 and < 3.1.0.\n\nThe issue affects all versions of mod_wsgi up to and including\nversion 3.4.\n\nThe source of the issue derives from mod_wsgi not correctly handling\nLinux specific error codes from setuid(), which differ to what\nwould be expected to be returned by UNIX systems conforming to the\nOpen Group UNIX specification for setuid().\n\n\thttp://man7.org/linux/man-pages/man2/setuid.2.html\n\thttp://pubs.opengroup.org/onlinepubs/009695399/functions/setuid.html\n\nThis difference in behaviour between Linux and the UNIX specification\nwas believed to have been removed in version 3.1.0 of the Linux\nkernel.\n\n\thttps://groups.google.com/forum/?fromgroups=#!topic/linux.kernel/u6cKf4D1D-k\n\nThe issue would allow a user, where Apache is initially being\nstarted as the root user and where running code under mod_wsgi\ndaemon mode as an unprivileged user, to manipulate the number of\nprocesses run by that user to affect the outcome of setuid() when\ndaemon mode processes are forked and so gain escalated privileges\nfor the users code.\n\nDue to the nature of the issue, if you provide a service or allow\nuntrusted users to run Python web applications you do not control\nthe code for, and do so using daemon mode of mod_wsgi, you should\nupdate mod_wsgi as soon as possible.\n\nBugs Fixed\n\n1. Python 3 installations can add a suffix to the Python library.\nSo instead of libpythonX.Y.so it can be libpythonX.Ym.so.\n\n2. When using daemon mode, if an uncaught exception occurred when\nhandling a request, when response was proxied back via the Apache\nchild process, an internal value for the HTTP status line was not\ncleared correctly. This was resulting in a HTTP status in response\nto client of �200 Error� rather than �500 Internal Server Error�.\n\nNote that this only affected the status line and not the actual\nHTTP status. The status would still be 500 and the client would\nstill interpret it as a failed request.\n\n3. Null out Apache scoreboard handle in daemon processes for Apache\n2.4 to avoid process crash when lingering close cleanup occurs.\n\n4. Workaround broken MacOS X XCode Toolchain references in Apache\napxs build configuration tool and operating system libtool script.\nThis means it is no longer necessary to manually go into:\n\nApplications/Xcode.app/Contents/Developer/Toolchains\n\nand manually add symlinks to define the true location of the compiler\ntools.\n\n \ Restore ability to compile mod_wsgi source code under Apache\n 1.3.\n\n6. Fix checks for whether the ITK MPM is used and whether ITK MPM\nspecific actions should be taken around the ownership of the mod_wsgi\ndaemon process listener socket.\n\n7. Fix issue where when using Python 3.4, mod_wsgi daemon processes\nwould actually crash when the processes were being shutdown.\n\n8. Made traditional library linking the default on MacOS X. If\nneeding framework style linking for the Python framework, then use\nthe --enable-framework option. The existing --disable-framework\nhas now been removed given that the default action has been swapped\naround.\n\nNew Features\n\n1. For Linux 2.4 and later, enable ability of daemon processes to\ndump core files when Apache CoreDumpDirectory directive used.\n\n2. Attempt to log whether daemon process exited normally or was\nkilled off by an unexpected signal.\n" module: pkgsrc subject: 'CVS commit: pkgsrc/www/ap2-wsgi' unixtime: '1402126885' user: wiz