New update has been released for the itk mpm (version 2.2.17-01).
Could this mpm thus please be updated within Apache (APACHE2_MPMS="itk")
apache2.2-mpm-itk 2.2.17-01, released 2011-03-21:
* Fixed CVE-2011-1176: If NiceValue was set, the default with no
AssignUserID was to run as root:root instead of the default Apache user
and group, due to the configuration merger having an incorrect default
* Rebase against Apache 2.2.17.
* Fix an issue where users can sometimes get spurious 403s on persistent
connections, if the .htaccess files are not world readable.
* In the config merger, don't reallocate the username, since it's already
in the correct pool. (This is not a memory leak, only a small inefficiency.)
The configuration merger in itk.c in the Steinar H. Gunderson mpm-itk
Multi-Processing Module 2.2.11-01 and 2.2.11-02 for the Apache HTTP Server
does not properly handle certain configuration sections that specify
NiceValue but not AssignUserID, which might allow remote attackers to gain
privileges by leveraging the root uid and root gid of an mpm-itk process.
@apache, you thoughts on this?
Sorry I forgot to notice this, but we've fixed this issue during previous bump. So this is fixed in 2.2.20 (bug 380475).
(In reply to comment #3)
> Sorry I forgot to notice this, but we've fixed this issue during previous bump.
> So this is fixed in 2.2.20 (bug 380475).
Great, thank you. Closing noglsa.