CVE-2011-1176

NameCVE-2011-1176
DescriptionThe configuration merger in itk.c in the Steinar H. Gunderson mpm-itk Multi-Processing Module 2.2.11-01 and 2.2.11-02 for the Apache HTTP Server does not properly handle certain configuration sections that specify NiceValue but not AssignUserID, which might allow remote attackers to gain privileges by leveraging the root uid and root gid of an mpm-itk process.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-2202-1
Debian Bugs618857

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache2 (PTS)bullseye2.4.62-1~deb11u1fixed
bullseye (security)2.4.62-1~deb11u2fixed
bookworm, bookworm (security)2.4.62-1~deb12u2fixed
sid, trixie2.4.63-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apache2sourcelenny(not affected)
apache2sourcesqueeze2.2.16-6+squeeze1DSA-2202-1
apache2source(unstable)2.2.17-2medium618857
apache2-mpm-itksourcelenny(not affected)
apache2-mpm-itksource(unstable)(unfixed)

Notes

[lenny] - apache2 <not-affected> (different source package in lenny: apache2-mpm-itk)
[lenny] - apache2-mpm-itk <not-affected> (bug was introduced later, in 2.2.11-01)
Search for package or bug name: Reporting problems