CVE-2011-1176

Vulnerability Description

The configuration merger in itk.c in the Steinar H. Gunderson mpm-itk Multi-Processing Module 2.2.11-01 and 2.2.11-02 for the Apache HTTP Server does not properly handle certain configuration sections that specify NiceValue but not AssignUserID, which might allow remote attackers to gain privileges by leveraging the root uid and root gid of an mpm-itk process.

CVSS Score

Affected Products

References

• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618857Issue TrackingPatchThird Party Advisory
• http://lists.err.no/pipermail/mpm-itk/2011-March/000393.htmlPatchThird Party Advisory
• http://lists.err.no/pipermail/mpm-itk/2011-March/000394.htmlRelease NotesThird Party Advisory
• http://openwall.com/lists/oss-security/2011/03/20/1Mailing ListThird Party Advisory
• http://openwall.com/lists/oss-security/2011/03/21/13Mailing ListThird Party Advisory
• http://www.debian.org/security/2011/dsa-2202Third Party Advisory
• http://www.mandriva.com/security/advisories?name=MDVSA-2011:057Third Party Advisory
• http://www.securityfocus.com/bid/46953Third Party AdvisoryVDB Entry
• http://www.vupen.com/english/advisories/2011/0748Third Party Advisory
• http://www.vupen.com/english/advisories/2011/0749Third Party Advisory
• http://www.vupen.com/english/advisories/2011/0824Third Party Advisory
• https://exchange.xforce.ibmcloud.com/vulnerabilities/66248Third Party AdvisoryVDB Entry
• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618857Issue TrackingPatchThird Party Advisory
• http://lists.err.no/pipermail/mpm-itk/2011-March/000393.htmlPatchThird Party Advisory
• http://lists.err.no/pipermail/mpm-itk/2011-March/000394.htmlRelease NotesThird Party Advisory