Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 360787 (CVE-2011-1176)

Summary: <www-servers/apache-2.2.20: itk mpm update (2.2.17-01) (CVE-2011-1176)
Product: Gentoo Security Reporter: Milos Ivanovic <bugs>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: enhancement CC: apache-bugs, bug, pva
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://mpm-itk.sesse.net/
Whiteboard: C4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 380475    
Bug Blocks:    

Description Milos Ivanovic 2011-03-27 14:47:27 UTC 
New update has been released for the itk mpm (version 2.2.17-01).

Could this mpm thus please be updated within Apache (APACHE2_MPMS="itk")

apache2.2-mpm-itk 2.2.17-01, released 2011-03-21:

  * Fixed CVE-2011-1176: If NiceValue was set, the default with no
    AssignUserID was to run as root:root instead of the default Apache user
    and group, due to the configuration merger having an incorrect default
    configuration.
  * Rebase against Apache 2.2.17.
  * Fix an issue where users can sometimes get spurious 403s on persistent
    connections, if the .htaccess files are not world readable.
  * In the config merger, don't reallocate the username, since it's already
    in the correct pool. (This is not a memory leak, only a small inefficiency.)

Thanks.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2011-07-10 00:08:58 UTC 
CVE-2011-1176 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1176):
  The configuration merger in itk.c in the Steinar H. Gunderson mpm-itk
  Multi-Processing Module 2.2.11-01 and 2.2.11-02 for the Apache HTTP Server
  does not properly handle certain configuration sections that specify
  NiceValue but not AssignUserID, which might allow remote attackers to gain
  privileges by leveraging the root uid and root gid of an mpm-itk process.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-07-11 02:26:35 UTC 
@apache, you thoughts on this?
Comment 3 Peter Volkov (RETIRED) gentoo-dev 2011-09-15 08:40:38 UTC 
Sorry I forgot to notice this, but we've fixed this issue during previous bump. So this is fixed in 2.2.20 (bug 380475).
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-09-19 18:54:42 UTC 
(In reply to comment #3)
> Sorry I forgot to notice this, but we've fixed this issue during previous bump.
> So this is fixed in 2.2.20 (bug 380475).

Great, thank you. Closing noglsa.