|Summary:||<www-servers/apache-2.2.20: itk mpm update (2.2.17-01) (CVE-2011-1176)|
|Product:||Gentoo Security||Reporter:||Milos Ivanovic <bugs>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||enhancement||CC:||apache-bugs, bug, pva|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||380475|
Description Milos Ivanovic 2011-03-27 14:47:27 UTC
New update has been released for the itk mpm (version 2.2.17-01). Could this mpm thus please be updated within Apache (APACHE2_MPMS="itk") apache2.2-mpm-itk 2.2.17-01, released 2011-03-21: * Fixed CVE-2011-1176: If NiceValue was set, the default with no AssignUserID was to run as root:root instead of the default Apache user and group, due to the configuration merger having an incorrect default configuration. * Rebase against Apache 2.2.17. * Fix an issue where users can sometimes get spurious 403s on persistent connections, if the .htaccess files are not world readable. * In the config merger, don't reallocate the username, since it's already in the correct pool. (This is not a memory leak, only a small inefficiency.) Thanks.
Comment 1 GLSAMaker/CVETool Bot 2011-07-10 00:08:58 UTC
CVE-2011-1176 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1176): The configuration merger in itk.c in the Steinar H. Gunderson mpm-itk Multi-Processing Module 2.2.11-01 and 2.2.11-02 for the Apache HTTP Server does not properly handle certain configuration sections that specify NiceValue but not AssignUserID, which might allow remote attackers to gain privileges by leveraging the root uid and root gid of an mpm-itk process.
Comment 2 Tim Sammut (RETIRED) 2011-07-11 02:26:35 UTC
@apache, you thoughts on this?
Comment 3 Peter Volkov (RETIRED) 2011-09-15 08:40:38 UTC
Sorry I forgot to notice this, but we've fixed this issue during previous bump. So this is fixed in 2.2.20 (bug 380475).