Debian Bug report logs - #618857
apache2-mpm-itk: if you do not assign a user ID, the default one from Apache is _NOT_ used.

version graph

Package: apache2-mpm-itk; Maintainer for apache2-mpm-itk is Debian Apache Maintainers <debian-apache@lists.debian.org>; Source for apache2-mpm-itk is src:apache2.

Reported by: Samuel Montosa <samuel@dameuntoque.com>

Date: Sat, 19 Mar 2011 00:15:01 UTC

Severity: critical

Tags: patch, security

Found in version apache2/2.2.16-6

Fixed in versions apache2/2.2.17-2, apache2/2.2.16-6+squeeze1

Done: Stefan Fritsch <sf@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#618857; Package apache2-mpm-itk. (Sat, 19 Mar 2011 00:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Samuel Montosa <samuel@dameuntoque.com>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>. (Sat, 19 Mar 2011 00:15:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Samuel Montosa <samuel@dameuntoque.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apache2-mpm-itk: if you do not assign a user ID, the default one from Apache is _NOT_ used.
Date: Sat, 19 Mar 2011 01:05:43 +0100
Package: apache2-mpm-itk
Version: 2.2.16-6
Severity: critical
Tags: security
Justification: root security hole


As far I tested, versions prior to 'squeeze', apache/itk behavior was as
claimed at http://mpm-itk.sesse.net/

"
AssignUserID: Takes two parameters, uid and gid (or really, user name
and group name); specifies what uid and gid the vhost will run as (after
parsing the request etc., of course).

_________Note that if you do not assign a user ID, the default one from
Apache will be used._____________
"

On 'squeeze', if user ID is not assigned by AssignUserID at VirtualHost,
default ID will be __root__. User and Group directives from Apache will
be ignored.

To temporary solve this, I added this line between IfModule and
/IfModule lines, at "Section 1: Global Environment" at apache2.conf

# itk MPM
<IfModule mpm_itk_module>
    AssignUserId ${APACHE_RUN_USER} ${APACHE_RUN_GROUP}
</IfModule>



-- Package-specific info:
List of /etc/apache2/mods-enabled/*.load:
  actions alias auth_basic auth_digest authn_file authz_default
  authz_groupfile authz_host authz_user autoindex cgi dav dav_fs
  dav_lock deflate dir env fcgid jk mime negotiation php5 python
  reqtimeout rewrite setenvif ssl status suexec
List of enabled php5 extensions:
  "eaccelerator curl gd imap mcrypt memcache mysql mysqli pdo
  pdo_mysql pdo_pgsql pgsql suhosin

-- System Information:
Debian Release: 6.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.34.6-xxxx-std-ipv6-64 (SMP w/2 CPU cores)
Locale: LANG=es_ES, LC_CTYPE=es_ES (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages apache2-mpm-itk depends on:
ii  apache2.2-bin                 2.2.16-6   Apache HTTP Server common binary f
ii  apache2.2-common              2.2.16-6   Apache HTTP Server common files

apache2-mpm-itk recommends no packages.

apache2-mpm-itk suggests no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#618857; Package apache2-mpm-itk. (Sun, 20 Mar 2011 12:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Steinar H. Gunderson" <sgunderson@bigfoot.com>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (Sun, 20 Mar 2011 12:57:03 GMT) Full text and rfc822 format available.

Message #10 received at 618857@bugs.debian.org (full text, mbox):

From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>
To: Samuel Montosa <samuel@dameuntoque.com>, 618857@bugs.debian.org
Cc: team@security.debian.org, control@bugs.debian.org
Subject: Re: Bug#618857: apache2-mpm-itk: if you do not assign a user ID, the default one from Apache is _NOT_ used.
Date: Sun, 20 Mar 2011 13:37:21 +0100
[Message part 1 (text/plain, inline)]
tags 618857 + patch
thanks

On Sat, Mar 19, 2011 at 01:05:43AM +0100, Samuel Montosa wrote:
> As far I tested, versions prior to 'squeeze', apache/itk behavior was as
> claimed at http://mpm-itk.sesse.net/
> 
> "
> AssignUserID: Takes two parameters, uid and gid (or really, user name
> and group name); specifies what uid and gid the vhost will run as (after
> parsing the request etc., of course).
> 
> _________Note that if you do not assign a user ID, the default one from
> Apache will be used._____________
> "
> 
> On 'squeeze', if user ID is not assigned by AssignUserID at VirtualHost,
> default ID will be __root__. User and Group directives from Apache will
> be ignored.

Hi,

I managed to reproduce your bug; it only happens if you do not set
AssignUserID but do set NiceValue. In other words, the default configuration
is unaffected (and most normal ones), but it is still an issue.

I have a patch for this, but as upstream I believe I need to go through the
CVE procedure. Does anyone from the security team (Cc-ed) want to help me
through the process? I guess first of all I need a CVE number assigned that I
can refer to in the upstream changelog.

FWIW, the patch is:

diff -ur orig/httpd-2.2.17/server/mpm/experimental/itk/itk.c httpd-2.2.17/server/mpm/experimental/itk/itk.c
--- orig/httpd-2.2.17/server/mpm/experimental/itk/itk.c 2011-03-20 13:18:18.000000000 +0100
+++ httpd-2.2.17/server/mpm/experimental/itk/itk.c      2011-03-20 13:15:42.000000000 +0100
@@ -1697,8 +1697,8 @@
 /* == merge the parent per-dir config structure into ours == */
 static void *itk_merge_dir_config(apr_pool_t *p, void *parent_ptr, void *child_ptr)
 {
-    itk_per_dir_conf *c = (itk_per_dir_conf *)
-        apr_pcalloc(p, sizeof(itk_per_dir_conf));
+    itk_per_dir_conf *c = (itk_per_dir_conf *)
+        itk_create_dir_config(p, NULL);
     itk_per_dir_conf *parent = (itk_per_dir_conf *) parent_ptr;
     itk_per_dir_conf *child = (itk_per_dir_conf *) child_ptr;

Testing would be appreciated. I'm attaching a debdiff with the patch put into
the patch system, for testing.

/* Steinar */
-- 
Homepage: http://www.sesse.net/
[mpm-itk-merger-fix.debdiff (text/plain, attachment)]

Added tag(s) patch. Request was from "Steinar H. Gunderson" <sgunderson@bigfoot.com> to control@bugs.debian.org. (Sun, 20 Mar 2011 12:57:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#618857; Package apache2-mpm-itk. (Tue, 22 Mar 2011 10:24:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Samuel Montosa <samuel@dameuntoque.com>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (Tue, 22 Mar 2011 10:24:05 GMT) Full text and rfc822 format available.

Message #17 received at 618857@bugs.debian.org (full text, mbox):

From: Samuel Montosa <samuel@dameuntoque.com>
To: Steinar H. Gunderson <sgunderson@bigfoot.com>
Cc: 618857@bugs.debian.org, team@security.debian.org, control@bugs.debian.org
Subject: Re: Bug#618857: apache2-mpm-itk: if you do not assign a user ID, the default one from Apache is _NOT_ used.
Date: Tue, 22 Mar 2011 11:14:29 +0100
[Message part 1 (text/plain, inline)]
Hi:

Steinar, thanks for your reply.

One comment more:
I admit I have not default configuration so, on my custom instalation,  
I don't need to set "NiceValue" to reproduce the issue.

On a flesh installation I reproduced bug as you said. After your  
patch, bug is fixed.

El 20/03/2011, a las 13:37, Steinar H. Gunderson escribió:

> tags 618857 + patch
> thanks
>
> On Sat, Mar 19, 2011 at 01:05:43AM +0100, Samuel Montosa wrote:
>> As far I tested, versions prior to 'squeeze', apache/itk behavior  
>> was as
>> claimed at http://mpm-itk.sesse.net/
>>
>> "
>> AssignUserID: Takes two parameters, uid and gid (or really, user name
>> and group name); specifies what uid and gid the vhost will run as  
>> (after
>> parsing the request etc., of course).
>>
>> _________Note that if you do not assign a user ID, the default one  
>> from
>> Apache will be used._____________
>> "
>>
>> On 'squeeze', if user ID is not assigned by AssignUserID at  
>> VirtualHost,
>> default ID will be __root__. User and Group directives from Apache  
>> will
>> be ignored.
>
> Hi,
>
> I managed to reproduce your bug; it only happens if you do not set
> AssignUserID but do set NiceValue. In other words, the default  
> configuration
> is unaffected (and most normal ones), but it is still an issue.
>
> I have a patch for this, but as upstream I believe I need to go  
> through the
> CVE procedure. Does anyone from the security team (Cc-ed) want to  
> help me
> through the process? I guess first of all I need a CVE number  
> assigned that I
> can refer to in the upstream changelog.
>
> FWIW, the patch is:
>
> diff -ur orig/httpd-2.2.17/server/mpm/experimental/itk/itk.c  
> httpd-2.2.17/server/mpm/experimental/itk/itk.c
> --- orig/httpd-2.2.17/server/mpm/experimental/itk/itk.c 2011-03-20  
> 13:18:18.000000000 +0100
> +++ httpd-2.2.17/server/mpm/experimental/itk/itk.c      2011-03-20  
> 13:15:42.000000000 +0100
> @@ -1697,8 +1697,8 @@
> /* == merge the parent per-dir config structure into ours == */
> static void *itk_merge_dir_config(apr_pool_t *p, void *parent_ptr,  
> void *child_ptr)
> {
> -    itk_per_dir_conf *c = (itk_per_dir_conf *)
> -        apr_pcalloc(p, sizeof(itk_per_dir_conf));
> +    itk_per_dir_conf *c = (itk_per_dir_conf *)
> +        itk_create_dir_config(p, NULL);
>     itk_per_dir_conf *parent = (itk_per_dir_conf *) parent_ptr;
>     itk_per_dir_conf *child = (itk_per_dir_conf *) child_ptr;
>
> Testing would be appreciated. I'm attaching a debdiff with the patch  
> put into
> the patch system, for testing.
>
> /* Steinar */
> -- 
> Homepage: http://www.sesse.net/
> <mpm-itk-merger-fix.debdiff>

--
Samuel Montosa




[Message part 2 (text/html, inline)]

Reply sent to Stefan Fritsch <sf@debian.org>:
You have taken responsibility. (Tue, 22 Mar 2011 11:48:12 GMT) Full text and rfc822 format available.

Notification sent to Samuel Montosa <samuel@dameuntoque.com>:
Bug acknowledged by developer. (Tue, 22 Mar 2011 11:48:12 GMT) Full text and rfc822 format available.

Message #22 received at 618857-close@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@debian.org>
To: 618857-close@bugs.debian.org
Subject: Bug#618857: fixed in apache2 2.2.17-2
Date: Tue, 22 Mar 2011 11:45:44 +0000
Source: apache2
Source-Version: 2.2.17-2

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:

apache2-dbg_2.2.17-2_i386.deb
  to main/a/apache2/apache2-dbg_2.2.17-2_i386.deb
apache2-doc_2.2.17-2_all.deb
  to main/a/apache2/apache2-doc_2.2.17-2_all.deb
apache2-mpm-event_2.2.17-2_i386.deb
  to main/a/apache2/apache2-mpm-event_2.2.17-2_i386.deb
apache2-mpm-itk_2.2.17-2_i386.deb
  to main/a/apache2/apache2-mpm-itk_2.2.17-2_i386.deb
apache2-mpm-prefork_2.2.17-2_i386.deb
  to main/a/apache2/apache2-mpm-prefork_2.2.17-2_i386.deb
apache2-mpm-worker_2.2.17-2_i386.deb
  to main/a/apache2/apache2-mpm-worker_2.2.17-2_i386.deb
apache2-prefork-dev_2.2.17-2_i386.deb
  to main/a/apache2/apache2-prefork-dev_2.2.17-2_i386.deb
apache2-suexec-custom_2.2.17-2_i386.deb
  to main/a/apache2/apache2-suexec-custom_2.2.17-2_i386.deb
apache2-suexec_2.2.17-2_i386.deb
  to main/a/apache2/apache2-suexec_2.2.17-2_i386.deb
apache2-threaded-dev_2.2.17-2_i386.deb
  to main/a/apache2/apache2-threaded-dev_2.2.17-2_i386.deb
apache2-utils_2.2.17-2_i386.deb
  to main/a/apache2/apache2-utils_2.2.17-2_i386.deb
apache2.2-bin_2.2.17-2_i386.deb
  to main/a/apache2/apache2.2-bin_2.2.17-2_i386.deb
apache2.2-common_2.2.17-2_i386.deb
  to main/a/apache2/apache2.2-common_2.2.17-2_i386.deb
apache2_2.2.17-2.diff.gz
  to main/a/apache2/apache2_2.2.17-2.diff.gz
apache2_2.2.17-2.dsc
  to main/a/apache2/apache2_2.2.17-2.dsc
apache2_2.2.17-2_i386.deb
  to main/a/apache2/apache2_2.2.17-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 618857@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 21 Mar 2011 23:01:17 +0100
Source: apache2
Binary: apache2.2-common apache2.2-bin apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-mpm-itk apache2-utils apache2-suexec apache2-suexec-custom apache2 apache2-doc apache2-prefork-dev apache2-threaded-dev apache2-dbg
Architecture: source all i386
Version: 2.2.17-2
Distribution: unstable
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 apache2    - Apache HTTP Server metapackage
 apache2-dbg - Apache debugging symbols
 apache2-doc - Apache HTTP Server documentation
 apache2-mpm-event - Apache HTTP Server - event driven model
 apache2-mpm-itk - multiuser MPM for Apache 2.2
 apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model
 apache2-mpm-worker - Apache HTTP Server - high speed threaded model
 apache2-prefork-dev - Apache development headers - non-threaded MPM
 apache2-suexec - Standard suexec program for Apache 2 mod_suexec
 apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec
 apache2-threaded-dev - Apache development headers - threaded MPM
 apache2-utils - utility programs for webservers
 apache2.2-bin - Apache HTTP Server common binary files
 apache2.2-common - Apache HTTP Server common files
Closes: 613438 613969 615632 615866 618857
Changes: 
 apache2 (2.2.17-2) unstable; urgency=high
 .
   * New mpm_itk upstream version 2.2.17-01:
     - Fix CVE-2011-1176: If NiceValue was set, the default with no
       AssignUserID was to run as root:root instead of the default Apache user
       and group, due to the configuration merger having an incorrect default
       configuration. Closes: #618857
   * Make exit code of '/etc/init.d/apache2 status' more LSB compatible.
     Closes: #613969
   * Set the default file descriptor limit to 8192 instead of whatever the
     current limit is (usually 1024). Document how to change it in
     /etc/apache2/envvars . Closes: #615632
   * Fix typo in init script. Closes: #615866
   * Add hint in README.Debian about 403 error with mod_dav PUT. Closes: #613438
   * Remove some obsolete Depends and Replaces.
Checksums-Sha1: 
 0a4802bce31b2b274d16ed204694a36ffd9be23c 1783 apache2_2.2.17-2.dsc
 0d2b57bd4443029e86457967e008678f4e562454 206125 apache2_2.2.17-2.diff.gz
 e7bc05b04ea70f994cfd63b86ff1fddbd0510228 2309004 apache2-doc_2.2.17-2_all.deb
 37453d0aa94b30734033687b2491ab4921b48cd9 308778 apache2.2-common_2.2.17-2_i386.deb
 7d1ce4630b842b302266283c642bdc316cd88f01 1351286 apache2.2-bin_2.2.17-2_i386.deb
 5462e8fb8dd2542e16d8e1b9524aef4a90c1d469 2190 apache2-mpm-worker_2.2.17-2_i386.deb
 e92a0f69b0f3a4a93f44bd6ca597a83f679f4041 2280 apache2-mpm-prefork_2.2.17-2_i386.deb
 df6ef8133a5c806bd130f8a5bea74aa92ebf5d98 2252 apache2-mpm-event_2.2.17-2_i386.deb
 e526922d5827d9b0c6db8a028b65cf1387f9c57b 2286 apache2-mpm-itk_2.2.17-2_i386.deb
 02a01cd0245df2909404221bfe4927ec0127f905 166098 apache2-utils_2.2.17-2_i386.deb
 1bc1d731db54e607acd6b6f0283079581d3581eb 100088 apache2-suexec_2.2.17-2_i386.deb
 b97423bc290dd1f6830ff51bca5c62f9540bc196 101594 apache2-suexec-custom_2.2.17-2_i386.deb
 6dd339db583fb2534dea07fdaf88146ec1d8f6d2 1384 apache2_2.2.17-2_i386.deb
 731bd8fd90328fe2c4ae03e51e17fb9361c7e47e 137336 apache2-prefork-dev_2.2.17-2_i386.deb
 0b8be9c46e67408ee0e4ec36feaaa7134cc7725a 138464 apache2-threaded-dev_2.2.17-2_i386.deb
 34981e68ae8ca69d9f4df558583aa4b5e8c686ba 2972274 apache2-dbg_2.2.17-2_i386.deb
Checksums-Sha256: 
 0ed345ba9f9151bfadb125b66563e37c432d0ca1d4802716f2c6cea3b1b98c58 1783 apache2_2.2.17-2.dsc
 ef31f50af0eeb3a2298cd7c3356fa5e3038ecb3a4948256ab0042dd5baff67bf 206125 apache2_2.2.17-2.diff.gz
 0c23408eb27a5c73aa62ceba6344747d75b4037ccaeb046c1c4dae0eba7775ce 2309004 apache2-doc_2.2.17-2_all.deb
 8ce7f21d5e4b9a84eb9ca6006536a01abbc40d19eddb1c991bffe2130aa1976b 308778 apache2.2-common_2.2.17-2_i386.deb
 8329b62390357c8f2391b08f2c221a51a6e62db194e3858f24fbe6892e01220c 1351286 apache2.2-bin_2.2.17-2_i386.deb
 5c8ae5e30d29596b342c91a4d70adae3c60237508cc9f8f87dce5d4a58bbd8b0 2190 apache2-mpm-worker_2.2.17-2_i386.deb
 ca245a55006dd3dfe167a43e4e89e954960166f695052332ba014b6f01d2a600 2280 apache2-mpm-prefork_2.2.17-2_i386.deb
 8e486cda4549d2eb9040c72494e7fdeb3466b30e8a084609a0d9a9cae9eaa834 2252 apache2-mpm-event_2.2.17-2_i386.deb
 89f92e4de53b2c8a52be8aafee1777ea62d28174ad14058514cac5c865ea186a 2286 apache2-mpm-itk_2.2.17-2_i386.deb
 d44d0d0185d60e50912e46a881e1475b142687c80ec9acc6a12c086294aff562 166098 apache2-utils_2.2.17-2_i386.deb
 290e374644d03272bc1e75358f75d93113740f33a640a4e5f6b74ed960b28da9 100088 apache2-suexec_2.2.17-2_i386.deb
 53bc966c26b5d4633cc8c653b6e89c38c60e679336f5694f08e44c6283ecb297 101594 apache2-suexec-custom_2.2.17-2_i386.deb
 a441e621bfee656711646d449beca4aacc2538f3e8bf64be27c2f8a26d00b194 1384 apache2_2.2.17-2_i386.deb
 d9237b1e9191dc657b10151996ee125dda4fd8732de9bda210c3f319d3e2bfcc 137336 apache2-prefork-dev_2.2.17-2_i386.deb
 f8d94fcf81f12653c39ea3f81565ed7d35fda01cb45d8b3cc39e435db7620ba5 138464 apache2-threaded-dev_2.2.17-2_i386.deb
 798109cb160b800d40babbf521ec15c61cf53ce5e00da24957f766ee9f3b1419 2972274 apache2-dbg_2.2.17-2_i386.deb
Files: 
 24f1edf69c241e9a5aaf106030789c36 1783 httpd optional apache2_2.2.17-2.dsc
 7c2c03e2c1c0ff35719a607add179f5d 206125 httpd optional apache2_2.2.17-2.diff.gz
 84714890165ba8e05826fd8cbd5b164c 2309004 doc optional apache2-doc_2.2.17-2_all.deb
 457328bf871df9913b3ad7f3fe2855fa 308778 httpd optional apache2.2-common_2.2.17-2_i386.deb
 34ca9369c4c3c05dfe4219b7a1d6f439 1351286 httpd optional apache2.2-bin_2.2.17-2_i386.deb
 378bc7ad23e1c4548be62d89f2c2d81e 2190 httpd optional apache2-mpm-worker_2.2.17-2_i386.deb
 36039a6b7efb1c1a15d56af78bd3a45a 2280 httpd optional apache2-mpm-prefork_2.2.17-2_i386.deb
 37f078ba0d3cf6e2194ff517d1e7c386 2252 httpd optional apache2-mpm-event_2.2.17-2_i386.deb
 769a6390e36a5d5d58247780ce0a0282 2286 httpd extra apache2-mpm-itk_2.2.17-2_i386.deb
 4876a48c3eb4210e1db45247e7f14684 166098 httpd optional apache2-utils_2.2.17-2_i386.deb
 05e8733a56957461d0176b450fbd129d 100088 httpd optional apache2-suexec_2.2.17-2_i386.deb
 534fb1efee57421b542fb85868c4b144 101594 httpd extra apache2-suexec-custom_2.2.17-2_i386.deb
 195da76d8863989a8fceb6ae8a743c40 1384 httpd optional apache2_2.2.17-2_i386.deb
 c74fc17833cde0f4370c594be73eefe0 137336 httpd extra apache2-prefork-dev_2.2.17-2_i386.deb
 3c40d21c610c49d9035bab72b612c723 138464 httpd extra apache2-threaded-dev_2.2.17-2_i386.deb
 be447cc5b686c3c807b5d6c40ccf6ff5 2972274 debug extra apache2-dbg_2.2.17-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFNh8zgbxelr8HyTqQRAr8vAKDBR/9wgQuOE/kSOZPxyYHN5tVwfwCg2Cl6
ZiI470/hjI+qnSV/FWzzWQY=
=Bdru
-----END PGP SIGNATURE-----





Reply sent to Stefan Fritsch <sf@debian.org>:
You have taken responsibility. (Sun, 27 Mar 2011 20:51:08 GMT) Full text and rfc822 format available.

Notification sent to Samuel Montosa <samuel@dameuntoque.com>:
Bug acknowledged by developer. (Sun, 27 Mar 2011 20:51:08 GMT) Full text and rfc822 format available.

Message #27 received at 618857-close@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@debian.org>
To: 618857-close@bugs.debian.org
Subject: Bug#618857: fixed in apache2 2.2.16-6+squeeze1
Date: Sun, 27 Mar 2011 20:00:27 +0000
Source: apache2
Source-Version: 2.2.16-6+squeeze1

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:

apache2-dbg_2.2.16-6+squeeze1_i386.deb
  to main/a/apache2/apache2-dbg_2.2.16-6+squeeze1_i386.deb
apache2-doc_2.2.16-6+squeeze1_all.deb
  to main/a/apache2/apache2-doc_2.2.16-6+squeeze1_all.deb
apache2-mpm-event_2.2.16-6+squeeze1_i386.deb
  to main/a/apache2/apache2-mpm-event_2.2.16-6+squeeze1_i386.deb
apache2-mpm-itk_2.2.16-6+squeeze1_i386.deb
  to main/a/apache2/apache2-mpm-itk_2.2.16-6+squeeze1_i386.deb
apache2-mpm-prefork_2.2.16-6+squeeze1_i386.deb
  to main/a/apache2/apache2-mpm-prefork_2.2.16-6+squeeze1_i386.deb
apache2-mpm-worker_2.2.16-6+squeeze1_i386.deb
  to main/a/apache2/apache2-mpm-worker_2.2.16-6+squeeze1_i386.deb
apache2-prefork-dev_2.2.16-6+squeeze1_i386.deb
  to main/a/apache2/apache2-prefork-dev_2.2.16-6+squeeze1_i386.deb
apache2-suexec-custom_2.2.16-6+squeeze1_i386.deb
  to main/a/apache2/apache2-suexec-custom_2.2.16-6+squeeze1_i386.deb
apache2-suexec_2.2.16-6+squeeze1_i386.deb
  to main/a/apache2/apache2-suexec_2.2.16-6+squeeze1_i386.deb
apache2-threaded-dev_2.2.16-6+squeeze1_i386.deb
  to main/a/apache2/apache2-threaded-dev_2.2.16-6+squeeze1_i386.deb
apache2-utils_2.2.16-6+squeeze1_i386.deb
  to main/a/apache2/apache2-utils_2.2.16-6+squeeze1_i386.deb
apache2.2-bin_2.2.16-6+squeeze1_i386.deb
  to main/a/apache2/apache2.2-bin_2.2.16-6+squeeze1_i386.deb
apache2.2-common_2.2.16-6+squeeze1_i386.deb
  to main/a/apache2/apache2.2-common_2.2.16-6+squeeze1_i386.deb
apache2_2.2.16-6+squeeze1.diff.gz
  to main/a/apache2/apache2_2.2.16-6+squeeze1.diff.gz
apache2_2.2.16-6+squeeze1.dsc
  to main/a/apache2/apache2_2.2.16-6+squeeze1.dsc
apache2_2.2.16-6+squeeze1_i386.deb
  to main/a/apache2/apache2_2.2.16-6+squeeze1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 618857@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 22 Mar 2011 21:44:39 +0100
Source: apache2
Binary: apache2.2-common apache2.2-bin apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-mpm-itk apache2-utils apache2-suexec apache2-suexec-custom apache2 apache2-doc apache2-prefork-dev apache2-threaded-dev apache2-dbg
Architecture: source all i386
Version: 2.2.16-6+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 apache2    - Apache HTTP Server metapackage
 apache2-dbg - Apache debugging symbols
 apache2-doc - Apache HTTP Server documentation
 apache2-mpm-event - Apache HTTP Server - event driven model
 apache2-mpm-itk - multiuser MPM for Apache 2.2
 apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model
 apache2-mpm-worker - Apache HTTP Server - high speed threaded model
 apache2-prefork-dev - Apache development headers - non-threaded MPM
 apache2-suexec - Standard suexec program for Apache 2 mod_suexec
 apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec
 apache2-threaded-dev - Apache development headers - threaded MPM
 apache2-utils - utility programs for webservers
 apache2.2-bin - Apache HTTP Server common binary files
 apache2.2-common - Apache HTTP Server common files
Closes: 618857
Changes: 
 apache2 (2.2.16-6+squeeze1) stable-security; urgency=high
 .
   * Fix CVE-2011-1176 in apache2-mpm-itk: If NiceValue was set, the default
     with no AssignUserID was to run as root:root instead of the default Apache
     user and group. Closes: #618857
Checksums-Sha1: 
 2438c19d714bd3aa655b8a4dc929a25663b941a2 1832 apache2_2.2.16-6+squeeze1.dsc
 6937bd8b127541d6700b870681120b2b4cc79ba9 6369022 apache2_2.2.16.orig.tar.gz
 5920cc8abe08db2d40519dd1ffeb00b8a06115f5 209190 apache2_2.2.16-6+squeeze1.diff.gz
 58383161e1cba23dbb9e97d1f5924feda6643b44 2303700 apache2-doc_2.2.16-6+squeeze1_all.deb
 1a372aba66b49ad254822d86f204bf823aba6446 307314 apache2.2-common_2.2.16-6+squeeze1_i386.deb
 01615fe64dc33bc71931dc5a4e2e73d459c4701b 1344734 apache2.2-bin_2.2.16-6+squeeze1_i386.deb
 5f28d49fff8e3cc234d2cf9d4ae82aad306296b2 2230 apache2-mpm-worker_2.2.16-6+squeeze1_i386.deb
 768e0f3c5a886d7be8eeee0c7d8431e7789006b1 2286 apache2-mpm-prefork_2.2.16-6+squeeze1_i386.deb
 a60529e5cfa444b831baed66a28b24b5428db173 2264 apache2-mpm-event_2.2.16-6+squeeze1_i386.deb
 7284a49b8c340b7da945f4aefbb739f5c4ff93fd 2292 apache2-mpm-itk_2.2.16-6+squeeze1_i386.deb
 e8312d2c70dab0d19f8af873ec9a8e551fc41567 164536 apache2-utils_2.2.16-6+squeeze1_i386.deb
 2e18071980aed261f185b81502be6de1e9bc2cb5 99068 apache2-suexec_2.2.16-6+squeeze1_i386.deb
 3f7d76a348e1f840a6fb3642210f04e8a1878483 100566 apache2-suexec-custom_2.2.16-6+squeeze1_i386.deb
 242c67d06113f7d073e1cc0aa1c9081218a7a623 1386 apache2_2.2.16-6+squeeze1_i386.deb
 31d2964e50faa7ff83dfc63c76ef04f13c579834 137226 apache2-prefork-dev_2.2.16-6+squeeze1_i386.deb
 364def8fcaa11bbb5f3743bb118bcbc2bb8aafb0 138352 apache2-threaded-dev_2.2.16-6+squeeze1_i386.deb
 f4f269ffcd2ce274024b4ba558d44b0cc028d41d 2678040 apache2-dbg_2.2.16-6+squeeze1_i386.deb
Checksums-Sha256: 
 61c140ea35b2fb46ec1cd90c17929846dd75a10758ccebe8a00e603c43f09281 1832 apache2_2.2.16-6+squeeze1.dsc
 72cdbaf0525b4c956532b308a0344ca7c287eb12759472481ae4affca71b6ed3 6369022 apache2_2.2.16.orig.tar.gz
 14fc0bfa43d2038da7a7b677babee764940207446c8f6bdc09b260d0880d5acb 209190 apache2_2.2.16-6+squeeze1.diff.gz
 e4ae0b766e4b2e1190db061b990eda8b07f8d2220d0b639fa8a6d1c75de53881 2303700 apache2-doc_2.2.16-6+squeeze1_all.deb
 850f628fcf658b38c96e3c99b1efa9e4e13b26ce48b0fde998c9eb441c91cc7f 307314 apache2.2-common_2.2.16-6+squeeze1_i386.deb
 a386676a6aeb85d70d871191c978411a9a1d7b215e496839e28eb1403040eebc 1344734 apache2.2-bin_2.2.16-6+squeeze1_i386.deb
 9a2db36be4136a1961a2bf20b245fa2660b77b8433e82544d61e9c3c3cf10b15 2230 apache2-mpm-worker_2.2.16-6+squeeze1_i386.deb
 7fb4e00c4d9a9522680d7a7eb1dbbc0ea222a58d05a140e0367802a54b21a60e 2286 apache2-mpm-prefork_2.2.16-6+squeeze1_i386.deb
 7897e4c9460cd8230c585fc3e10e3d01f6a9ce7e377d5ae034088bf4d9fc430b 2264 apache2-mpm-event_2.2.16-6+squeeze1_i386.deb
 a63cdb9e42c936adf9f1a989260553b1946b23cfc2cc5f1fdfc3c9ca3be4723f 2292 apache2-mpm-itk_2.2.16-6+squeeze1_i386.deb
 2b2e7a2df2948a8847d475191122e50886fdf8db94e61e8dde6cbd3f2d065b58 164536 apache2-utils_2.2.16-6+squeeze1_i386.deb
 083018145152533154002182ac1beeaf9ceff57522798e2f5c34074e875fffd2 99068 apache2-suexec_2.2.16-6+squeeze1_i386.deb
 e7b60ac864e02c504ab8fc0f6809b237964e9247e53be4e10295ebf8f6f4f1b0 100566 apache2-suexec-custom_2.2.16-6+squeeze1_i386.deb
 062d6e6b2e1ee62572a63094708750d80bf293ea01c8082578a4db876a15f3c8 1386 apache2_2.2.16-6+squeeze1_i386.deb
 7724c83b46b7db3f84c13ba43b71e2697b88dda965cb1039bc549df2c80f84b8 137226 apache2-prefork-dev_2.2.16-6+squeeze1_i386.deb
 f452bfea034721f4e2c664b6f3eb44cd01dcf453f1fd8962ad0d692ec577114b 138352 apache2-threaded-dev_2.2.16-6+squeeze1_i386.deb
 2252a0e9c6f91802b2d811d222d5dac4c9357f34406960d0e9bc02b4eee5883e 2678040 apache2-dbg_2.2.16-6+squeeze1_i386.deb
Files: 
 d1a15413df1de916cfe69c6648197e38 1832 httpd optional apache2_2.2.16-6+squeeze1.dsc
 7f33f2c8b213ad758c009ae46d2795ed 6369022 httpd optional apache2_2.2.16.orig.tar.gz
 a2a7395e63f1284dda9979a719295e16 209190 httpd optional apache2_2.2.16-6+squeeze1.diff.gz
 664200eb6a38293654ba8e62c02f13fc 2303700 doc optional apache2-doc_2.2.16-6+squeeze1_all.deb
 49e7cb0d04bd56c1802abf06802002ed 307314 httpd optional apache2.2-common_2.2.16-6+squeeze1_i386.deb
 e6951ba32b9fac71c4582607dcaeda3c 1344734 httpd optional apache2.2-bin_2.2.16-6+squeeze1_i386.deb
 7ab34bdf10b1be45a4b80d13bcbf3752 2230 httpd optional apache2-mpm-worker_2.2.16-6+squeeze1_i386.deb
 f6030551007ddf8a9c6e1e90148bc0dc 2286 httpd optional apache2-mpm-prefork_2.2.16-6+squeeze1_i386.deb
 70c50cb39a8fbbde8b714d6ad2796848 2264 httpd optional apache2-mpm-event_2.2.16-6+squeeze1_i386.deb
 c19657ae60adea82e267bcc1889e501c 2292 httpd extra apache2-mpm-itk_2.2.16-6+squeeze1_i386.deb
 e85d039f469f94931f917aca3e9825bc 164536 httpd optional apache2-utils_2.2.16-6+squeeze1_i386.deb
 8cfdac6565588f82af5a8f26523c62aa 99068 httpd optional apache2-suexec_2.2.16-6+squeeze1_i386.deb
 4de001c1b69a6ae629f2b658cdae319c 100566 httpd extra apache2-suexec-custom_2.2.16-6+squeeze1_i386.deb
 b1e59398ce6dbbd1e92453117dc501ac 1386 httpd optional apache2_2.2.16-6+squeeze1_i386.deb
 adc548d8f37f2aebc55aeefc13afb47e 137226 httpd extra apache2-prefork-dev_2.2.16-6+squeeze1_i386.deb
 93b2d7b63b617d094ba0ec542e48472b 138352 httpd extra apache2-threaded-dev_2.2.16-6+squeeze1_i386.deb
 4aeada7bb037ccc56dd79b7bc6eb0d53 2678040 debug extra apache2-dbg_2.2.16-6+squeeze1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFNiQ2ebxelr8HyTqQRAhh4AKCYSy8LeVaphaZbBmKOptMasYhMkQCfYBy6
8rxNlB0TLmu00A52JH3dTuA=
=wE01
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 26 Jun 2011 07:36:11 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 16:02:01 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.