New update has been released for the itk mpm (version 2.2.17-01). Could this mpm thus please be updated within Apache (APACHE2_MPMS="itk") apache2.2-mpm-itk 2.2.17-01, released 2011-03-21: * Fixed CVE-2011-1176: If NiceValue was set, the default with no AssignUserID was to run as root:root instead of the default Apache user and group, due to the configuration merger having an incorrect default configuration. * Rebase against Apache 2.2.17. * Fix an issue where users can sometimes get spurious 403s on persistent connections, if the .htaccess files are not world readable. * In the config merger, don't reallocate the username, since it's already in the correct pool. (This is not a memory leak, only a small inefficiency.) Thanks.
CVE-2011-1176 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1176): The configuration merger in itk.c in the Steinar H. Gunderson mpm-itk Multi-Processing Module 2.2.11-01 and 2.2.11-02 for the Apache HTTP Server does not properly handle certain configuration sections that specify NiceValue but not AssignUserID, which might allow remote attackers to gain privileges by leveraging the root uid and root gid of an mpm-itk process.
@apache, you thoughts on this?
Sorry I forgot to notice this, but we've fixed this issue during previous bump. So this is fixed in 2.2.20 (bug 380475).
(In reply to comment #3) > Sorry I forgot to notice this, but we've fixed this issue during previous bump. > So this is fixed in 2.2.20 (bug 380475). Great, thank you. Closing noglsa.