Solution
Please Install the Updated Packages.
Insight
The configuration merger in itk.c in the Steinar H. Gunderson mpm-itk Multi-Processing Module (apache-mpm-itk) for the Apache HTTP Server does not properly handle certain configuration sections that specify NiceValue but not AssignUserID, which might allow remote attackers to gain privileges by leveraging the root uid and root gid of an mpm-itk process (CVE-2011-1176).
Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149& amp
products_id=490
The updated packages uses the latest upstream ITK patch for apache that is unaffected by this issue.
Affected
apache on Mandriva Linux 2009.0,
Mandriva Linux 2009.0/X86_64,
Mandriva Linux 2010.0,
Mandriva Linux 2010.0/X86_64,
Mandriva Linux 2010.1,
Mandriva Linux 2010.1/X86_64,
Mandriva Enterprise Server 5,
Mandriva Enterprise Server 5/X86_64
Severity
Classification
-
CVE CVE-2011-1176 -
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Related Vulnerabilities