Turns out this is an old issue from 2005 and was fixed in mod_python 3.2.7.
http://issues.apache.org/jira/browse/MODPYTHON-102 Someone must have just realised its importance to the older 3.1.X version they distribute with Ubuntu. Graham Graham Dumpleton wrote .. > Just saw this: > > > http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2007-03/msg00076.html > http://www.securityfocus.com/archive/1/462050 > > =========================================================== > Ubuntu Security Notice USN-430-1 March 06, 2007 > libapache2-mod-python vulnerability > CVE-2004-2680 > =========================================================== > > Miles Egan discovered that mod_python, when used in output filter mode, > did not handle output larger than 16384 bytes, and would display freed > memory, possibly disclosing private data. Thanks to Jim Garrison of the > Software Freedom Law Center for identifying the original bug as a > security vulnerability. > > Would have been nice if they had bothered to actually tell someone > involved with mod_python about it in case the problem still affects > current version of mod_python. Now we have to work out if it is > relevant to newer versions of not. > > This is something new isn't it??? > > Graham
