CVE-2011-1176
Published: 29 March 2011
The configuration merger in itk.c in the Steinar H. Gunderson mpm-itk Multi-Processing Module 2.2.11-01 and 2.2.11-02 for the Apache HTTP Server does not properly handle certain configuration sections that specify NiceValue but not AssignUserID, which might allow remote attackers to gain privileges by leveraging the root uid and root gid of an mpm-itk process.
Notes
| Author | Note |
|---|---|
| sbeattie | NOTE: mpm-itk patches go in debian/mpm-itk/patches hardy version predates introduction of configuration merger at all, so not-affected |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
apache2 Launchpad, Ubuntu, Debian |
dapper |
Not vulnerable
(doesn't ship mpm-itk)
|
| hardy |
Not vulnerable
(doesn't ship mpm-itk)
|
|
| karmic |
Ignored
(end of life)
|
|
| lucid |
Released
(2.2.14-5ubuntu8.7)
|
|
| maverick |
Released
(2.2.16-1ubuntu3.4)
|
|
| natty |
Released
(2.2.17-1ubuntu1.4)
|
|
| oneiric |
Not vulnerable
(2.2.17-3ubuntu1)
|
|
| upstream |
Needs triage
|
|
| Binaries built from this source package are in Universe and so are supported by the community. | ||
|
apache2-mpm-itk Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Not vulnerable
|
|
| karmic |
Does not exist
|
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| upstream |
Needs triage
|
|