Lucene search

K
osvGoogleOSV:DSA-1816-1
HistoryJun 16, 2009 - 12:00 a.m.

apache2 apache2-mpm-itk - privilege escalation

2009-06-1600:00:00
Google
osv.dev
17

It was discovered that the Apache web server did not properly handle
the β€œOptions=” parameter to the AllowOverride directive:

  • In the stable distribution (lenny), local users could (via .htaccess)
    enable script execution in Server Side Includes even in configurations
    where the AllowOverride directive contained only
    Options=IncludesNoEXEC.
  • In the oldstable distribution (etch), local users could (via
    .htaccess) enable script execution in Server Side Includes and CGI
    script execution in configurations where the AllowOverride directive
    contained any β€œOptions=” value.

The oldstable distribution (etch), this problem has been fixed in
version 2.2.3-4+etch8.

For the stable distribution (lenny), this problem has been fixed in
version 2.2.9-10+lenny3.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem will be fixed in version 2.2.11-6.

This advisory also provides updated apache2-mpm-itk packages which
have been recompiled against the new apache2 packages (except for the
s390 architecture where updated packages will follow shortly).

We recommend that you upgrade your apache2 packages.

CPENameOperatorVersion
apache2eq2.2.9-10+lenny2