Lucene search

K
ubuntucveUbuntu.comUB:CVE-2009-1195
HistoryMay 28, 2009 - 12:00 a.m.

CVE-2009-1195

2009-05-2800:00:00
ubuntu.com
ubuntu.com
10

4.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:N/I:N/A:C

0.001 Low

EPSS

Percentile

40.5%

The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly
handle Options=IncludesNOEXEC in the AllowOverride directive, which allows
local users to gain privileges by configuring (1) Options Includes, (2)
Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and
then inserting an exec element in a .shtml file.

Bugs

Notes

Author Note
jdstrand the RedHat patch broke mod_perl. Be sure to use all the upstream patches to avoid https://qa.mandriva.com/show_bug.cgi?id=51554 Ubuntu 6.06 LTS is not affected because it doesn’t have per-Option AllowOverrides logic (see http://marc.info/?l=apache-httpd-dev&m=124092657628747&w=2) apache 2.2.8 and under also need r652885
OSVersionArchitecturePackageVersionFilename
ubuntu8.04noarchapache2< 2.2.8-1ubuntu0.8UNKNOWN
ubuntu8.10noarchapache2< 2.2.9-7ubuntu3.1UNKNOWN
ubuntu9.04noarchapache2< 2.2.11-2ubuntu2.1UNKNOWN

4.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:N/I:N/A:C

0.001 Low

EPSS

Percentile

40.5%

Related for UB:CVE-2009-1195