A vulnerability has been discovered in mpm-itk, affecting versions 2.2.11-01 and 2.2.11-02: If a given vhost or path has NiceValue set but not AssignUserID, Apache will run as the root user and group instead of the global default (typically nobody, www-data, or similar). This is due to an error in the configuration merger. The bug has been assigned CVE ID 2011-1176. More info here: http://lists.err.no/pipermail/mpm-itk/2011-March/000393.html Fix: Patch attached (uuencoded and gzipped). It includes optional patch for mpm-itk perdir-regex (set WITH_ITK_PERDIR_REGEX variable to apply the optional patch). More info about perdir-regex here: http://www.pvv.ntnu.no/~knuta/mpm-itk/ Patch attached with submission follows:
Responsible Changed From-To: freebsd-ports-bugs->apache Over to maintainer (via the GNATS Auto Assign Tool)
Forgot to mention - this patch removes old itk-mpm patch file: www/apache22/files/mpm-itk-20090414-00 -- Best regards, Lukasz Wasikowski
Responsible Changed From-To: apache->ohauer I'll take it
ohauer 2011-03-31 17:00:37 UTC FreeBSD ports repository Modified files: www/apache22 Makefile Makefile.doc Makefile.modules Makefile.options pkg-plist Added files: www/apache22/files mpm-itk-20110321-01 mpm-itk-perdir-regex Removed files: www/apache22/files mpm-itk-20090414-00 Log: - update Apache 2 ITK MPM patch to version 20110321-01 [1] - add additional patch for mpm-itk [2] - add mod_substitute to apache22 [3] - add some documentation into the mpm-itk* patches - bump portrevision Changes: [1] apache2.2-mpm-itk 2.2.17-01, released 2011-03-21: * Fixed CVE-2011-1176: If NiceValue was set, the default with no AssignUserID was to run as root:root instead of the default Apache user and group, due to the configuration merger having an incorrect default configuration. * Rebase against Apache 2.2.17. * Fix an issue where users can sometimes get spurious 403s on persistent connections, if the .htaccess files are not world readable. * In the config merger, don't reallocate the username, since it's already in the correct pool. (This is not a memory leak, only a small inefficiency.) [2] http://httpd.apache.org/docs/2.2/mod/mod_substitute.html Source: http://mpm-itk.sesse.net/ [1] http://www.pvv.ntnu.no/~knuta/mpm-itk/ [2] http://lists.freebsd.org/pipermail/freebsd-apache/2011-March/002184.html [3] With Hat: apache@ PR: ports/156024 [1][2] Submitted by: Lukasz Wasikowski <lukasz _at_ wasikowski.net> [1][2] Nick Gieczewski <sorongo _at_ gmail.com> [3] Revision Changes Path 1.286 +2 -2 ports/www/apache22/Makefile 1.15 +4 -2 ports/www/apache22/Makefile.doc 1.38 +5 -2 ports/www/apache22/Makefile.modules 1.8 +1 -0 ports/www/apache22/Makefile.options 1.2 +0 -2039 ports/www/apache22/files/mpm-itk-20090414-00 (dead) 1.1 +2112 -0 ports/www/apache22/files/mpm-itk-20110321-01 (new) 1.1 +160 -0 ports/www/apache22/files/mpm-itk-perdir-regex (new) 1.100 +2 -1 ports/www/apache22/pkg-plist _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Committed, Thanks!