Executive Summary
Summary | |
---|---|
Title | apache2 security update |
Informations | |||
---|---|---|---|
Name | DSA-2202 | First vendor Publication | 2011-03-23 |
Vendor | Debian | Last vendor Modification | 2011-03-23 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 4.3 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
MPM_ITK is an alternative Multi-Processing Module for Apache HTTPD that is included in Debian's apache2 package. A configuration parsing flaw has been found in MPM_ITK. If the configuration directive NiceValue was set, but no AssignUserID directive was specified, the requests would be processed as user and group root instead of the default Apache user and group. This issue does not affect the standard Apache HTTPD MPMs prefork, worker, and event. The oldstable distribution (lenny) is not affected by this problem. For the stable distribution (squeeze), this problem has been fixed in version 2.2.16-6+squeeze1. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 2.2.17-2. If you use apache2-mpm-itk, we recommend that you upgrade your apache2 packages. |
Original Source
Url : http://www.debian.org/security/2011/dsa-2202 |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:15211 | |||
Oval ID: | oval:org.mitre.oval:def:15211 | ||
Title: | USN-1259-1 -- Apache vulnerabilities | ||
Description: | apache2: Apache HTTP server - apache2-mpm-itk: multiuser MPM for Apache 2.2 Details: It was discovered that the mod_proxy module in Apache did not properly interact with the RewriteRule and ProxyPassMatch pattern matches in the configuration of a reverse proxy. This could allow remote attackers to contact internal webservers behind the proxy that were not intended for external exposure. Stefano Nichele discovered that the mod_proxy_ajp module in Apache when used with mod_proxy_balancer in certain configurations could allow remote attackers to cause a denial of service via a malformed HTTP request. Samuel Montosa discovered that the ITK Multi-Processing Module for Apache did not properly handle certain configuration sections that specify NiceValue but not AssignUserID, preventing Apache from dropping privileges correctly. This issue only affected Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04. USN 1199-1 fixed a vulnerability in the byterange filter of Apache. The upstream patch introduced a regression in Apache when handling specific byte range requests. This update fixes the issue. Original advisory Multiple vulnerabilities and a regression were fixed in the Apache HTTP server. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1259-1 CVE-2011-3368 CVE-2011-3348 CVE-2011-1176 | Version: | 5 |
Platform(s): | Ubuntu 11.04 Ubuntu 11.10 Ubuntu 8.04 Ubuntu 10.04 Ubuntu 10.10 | Product(s): | Apache |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20246 | |||
Oval ID: | oval:org.mitre.oval:def:20246 | ||
Title: | DSA-2202-1 apache2 - failure to drop root privileges | ||
Description: | MPM_ITK is an alternative Multi-Processing Module for Apache HTTPD that is included in Debian's apache2 package. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2202-1 CVE-2011-1176 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | apache2 |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 2 |
OpenVAS Exploits
Date | Description |
---|---|
2011-11-11 | Name : Ubuntu Update for apache2 USN-1259-1 File : nvt/gb_ubuntu_USN_1259_1.nasl |
2011-05-12 | Name : Debian Security Advisory DSA 2202-1 (apache2) File : nvt/deb_2202_1.nasl |
2011-04-01 | Name : Mandriva Update for apache MDVSA-2011:057 (apache) File : nvt/gb_mandriva_MDVSA_2011_057.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
74262 | Apache HTTP Server Multi-Processing Module itk.c Configuration Merger mpm-itk... |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2011-11-11 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1259-1.nasl - Type : ACT_GATHER_INFO |
2011-04-01 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2011-057.nasl - Type : ACT_GATHER_INFO |
2011-03-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2202.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:30:01 |
|