CVE-2011-1176

2011-03-2900:00:00

ubuntu.com

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

71.0%

JSON

The configuration merger in itk.c in the Steinar H. Gunderson mpm-itk
Multi-Processing Module 2.2.11-01 and 2.2.11-02 for the Apache HTTP Server
does not properly handle certain configuration sections that specify
NiceValue but not AssignUserID, which might allow remote attackers to gain
privileges by leveraging the root uid and root gid of an mpm-itk process.

Bugs

<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618857>

Notes

Author	Note
sbeattie	NOTE: mpm-itk patches go in debian/mpm-itk/patches hardy version predates introduction of configuration merger at all, so not-affected

OSVersionArchitecturePackageVersionFilename
ubuntu10.04noarchapache2< 2.2.14-5ubuntu8.7UNKNOWN
ubuntu10.10noarchapache2< 2.2.16-1ubuntu3.4UNKNOWN
ubuntu11.04noarchapache2< 2.2.17-1ubuntu1.4UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	10.04	noarch	apache2	< 2.2.14-5ubuntu8.7	UNKNOWN
ubuntu	10.10	noarch	apache2	< 2.2.16-1ubuntu3.4	UNKNOWN
ubuntu	11.04	noarch	apache2	< 2.2.17-1ubuntu1.4	UNKNOWN