Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 360787 (CVE-2011-1176) - <www-servers/apache-2.2.20: itk mpm update (2.2.17-01) (CVE-2011-1176)
Summary: <www-servers/apache-2.2.20: itk mpm update (2.2.17-01) (CVE-2011-1176)
Alias: CVE-2011-1176
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal enhancement with 1 vote (vote)
Assignee: Gentoo Security
Whiteboard: C4 [noglsa]
Depends on: CVE-2011-3192
  Show dependency tree
Reported: 2011-03-27 14:47 UTC by Milos Ivanovic
Modified: 2011-09-19 18:54 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Milos Ivanovic 2011-03-27 14:47:27 UTC
New update has been released for the itk mpm (version 2.2.17-01).

Could this mpm thus please be updated within Apache (APACHE2_MPMS="itk")

apache2.2-mpm-itk 2.2.17-01, released 2011-03-21:

  * Fixed CVE-2011-1176: If NiceValue was set, the default with no
    AssignUserID was to run as root:root instead of the default Apache user
    and group, due to the configuration merger having an incorrect default
  * Rebase against Apache 2.2.17.
  * Fix an issue where users can sometimes get spurious 403s on persistent
    connections, if the .htaccess files are not world readable.
  * In the config merger, don't reallocate the username, since it's already
    in the correct pool. (This is not a memory leak, only a small inefficiency.)

Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2011-07-10 00:08:58 UTC
CVE-2011-1176 (
  The configuration merger in itk.c in the Steinar H. Gunderson mpm-itk
  Multi-Processing Module 2.2.11-01 and 2.2.11-02 for the Apache HTTP Server
  does not properly handle certain configuration sections that specify
  NiceValue but not AssignUserID, which might allow remote attackers to gain
  privileges by leveraging the root uid and root gid of an mpm-itk process.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-07-11 02:26:35 UTC
@apache, you thoughts on this?
Comment 3 Peter Volkov (RETIRED) gentoo-dev 2011-09-15 08:40:38 UTC
Sorry I forgot to notice this, but we've fixed this issue during previous bump. So this is fixed in 2.2.20 (bug 380475).
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-09-19 18:54:42 UTC
(In reply to comment #3)
> Sorry I forgot to notice this, but we've fixed this issue during previous bump.
> So this is fixed in 2.2.20 (bug 380475).

Great, thank you. Closing noglsa.