Your message dated Sun, 27 Mar 2011 20:00:27 +0000
with message-id <e1q3w8r-0001tj...@franck.debian.org>
and subject line Bug#618857: fixed in apache2 2.2.16-6+squeeze1
has caused the Debian Bug report #618857,
regarding apache2-mpm-itk: if you do not assign a user ID, the default one from
Apache is _NOT_ used.
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
618857: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618857
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apache2-mpm-itk
Version: 2.2.16-6
Severity: critical
Tags: security
Justification: root security hole
As far I tested, versions prior to 'squeeze', apache/itk behavior was as
claimed at http://mpm-itk.sesse.net/
"
AssignUserID: Takes two parameters, uid and gid (or really, user name
and group name); specifies what uid and gid the vhost will run as (after
parsing the request etc., of course).
_________Note that if you do not assign a user ID, the default one from
Apache will be used._____________
"
On 'squeeze', if user ID is not assigned by AssignUserID at VirtualHost,
default ID will be __root__. User and Group directives from Apache will
be ignored.
To temporary solve this, I added this line between IfModule and
/IfModule lines, at "Section 1: Global Environment" at apache2.conf
# itk MPM
<IfModule mpm_itk_module>
AssignUserId ${APACHE_RUN_USER} ${APACHE_RUN_GROUP}
</IfModule>
-- Package-specific info:
List of /etc/apache2/mods-enabled/*.load:
actions alias auth_basic auth_digest authn_file authz_default
authz_groupfile authz_host authz_user autoindex cgi dav dav_fs
dav_lock deflate dir env fcgid jk mime negotiation php5 python
reqtimeout rewrite setenvif ssl status suexec
List of enabled php5 extensions:
"eaccelerator curl gd imap mcrypt memcache mysql mysqli pdo
pdo_mysql pdo_pgsql pgsql suhosin
-- System Information:
Debian Release: 6.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.34.6-xxxx-std-ipv6-64 (SMP w/2 CPU cores)
Locale: LANG=es_ES, LC_CTYPE=es_ES (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages apache2-mpm-itk depends on:
ii apache2.2-bin 2.2.16-6 Apache HTTP Server common binary f
ii apache2.2-common 2.2.16-6 Apache HTTP Server common files
apache2-mpm-itk recommends no packages.
apache2-mpm-itk suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.2.16-6+squeeze1
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:
apache2-dbg_2.2.16-6+squeeze1_i386.deb
to main/a/apache2/apache2-dbg_2.2.16-6+squeeze1_i386.deb
apache2-doc_2.2.16-6+squeeze1_all.deb
to main/a/apache2/apache2-doc_2.2.16-6+squeeze1_all.deb
apache2-mpm-event_2.2.16-6+squeeze1_i386.deb
to main/a/apache2/apache2-mpm-event_2.2.16-6+squeeze1_i386.deb
apache2-mpm-itk_2.2.16-6+squeeze1_i386.deb
to main/a/apache2/apache2-mpm-itk_2.2.16-6+squeeze1_i386.deb
apache2-mpm-prefork_2.2.16-6+squeeze1_i386.deb
to main/a/apache2/apache2-mpm-prefork_2.2.16-6+squeeze1_i386.deb
apache2-mpm-worker_2.2.16-6+squeeze1_i386.deb
to main/a/apache2/apache2-mpm-worker_2.2.16-6+squeeze1_i386.deb
apache2-prefork-dev_2.2.16-6+squeeze1_i386.deb
to main/a/apache2/apache2-prefork-dev_2.2.16-6+squeeze1_i386.deb
apache2-suexec-custom_2.2.16-6+squeeze1_i386.deb
to main/a/apache2/apache2-suexec-custom_2.2.16-6+squeeze1_i386.deb
apache2-suexec_2.2.16-6+squeeze1_i386.deb
to main/a/apache2/apache2-suexec_2.2.16-6+squeeze1_i386.deb
apache2-threaded-dev_2.2.16-6+squeeze1_i386.deb
to main/a/apache2/apache2-threaded-dev_2.2.16-6+squeeze1_i386.deb
apache2-utils_2.2.16-6+squeeze1_i386.deb
to main/a/apache2/apache2-utils_2.2.16-6+squeeze1_i386.deb
apache2.2-bin_2.2.16-6+squeeze1_i386.deb
to main/a/apache2/apache2.2-bin_2.2.16-6+squeeze1_i386.deb
apache2.2-common_2.2.16-6+squeeze1_i386.deb
to main/a/apache2/apache2.2-common_2.2.16-6+squeeze1_i386.deb
apache2_2.2.16-6+squeeze1.diff.gz
to main/a/apache2/apache2_2.2.16-6+squeeze1.diff.gz
apache2_2.2.16-6+squeeze1.dsc
to main/a/apache2/apache2_2.2.16-6+squeeze1.dsc
apache2_2.2.16-6+squeeze1_i386.deb
to main/a/apache2/apache2_2.2.16-6+squeeze1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 618...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <s...@debian.org> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 22 Mar 2011 21:44:39 +0100
Source: apache2
Binary: apache2.2-common apache2.2-bin apache2-mpm-worker apache2-mpm-prefork
apache2-mpm-event apache2-mpm-itk apache2-utils apache2-suexec
apache2-suexec-custom apache2 apache2-doc apache2-prefork-dev
apache2-threaded-dev apache2-dbg
Architecture: source all i386
Version: 2.2.16-6+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apa...@lists.debian.org>
Changed-By: Stefan Fritsch <s...@debian.org>
Description:
apache2 - Apache HTTP Server metapackage
apache2-dbg - Apache debugging symbols
apache2-doc - Apache HTTP Server documentation
apache2-mpm-event - Apache HTTP Server - event driven model
apache2-mpm-itk - multiuser MPM for Apache 2.2
apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model
apache2-mpm-worker - Apache HTTP Server - high speed threaded model
apache2-prefork-dev - Apache development headers - non-threaded MPM
apache2-suexec - Standard suexec program for Apache 2 mod_suexec
apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec
apache2-threaded-dev - Apache development headers - threaded MPM
apache2-utils - utility programs for webservers
apache2.2-bin - Apache HTTP Server common binary files
apache2.2-common - Apache HTTP Server common files
Closes: 618857
Changes:
apache2 (2.2.16-6+squeeze1) stable-security; urgency=high
.
* Fix CVE-2011-1176 in apache2-mpm-itk: If NiceValue was set, the default
with no AssignUserID was to run as root:root instead of the default Apache
user and group. Closes: #618857
Checksums-Sha1:
2438c19d714bd3aa655b8a4dc929a25663b941a2 1832 apache2_2.2.16-6+squeeze1.dsc
6937bd8b127541d6700b870681120b2b4cc79ba9 6369022 apache2_2.2.16.orig.tar.gz
5920cc8abe08db2d40519dd1ffeb00b8a06115f5 209190
apache2_2.2.16-6+squeeze1.diff.gz
58383161e1cba23dbb9e97d1f5924feda6643b44 2303700
apache2-doc_2.2.16-6+squeeze1_all.deb
1a372aba66b49ad254822d86f204bf823aba6446 307314
apache2.2-common_2.2.16-6+squeeze1_i386.deb
01615fe64dc33bc71931dc5a4e2e73d459c4701b 1344734
apache2.2-bin_2.2.16-6+squeeze1_i386.deb
5f28d49fff8e3cc234d2cf9d4ae82aad306296b2 2230
apache2-mpm-worker_2.2.16-6+squeeze1_i386.deb
768e0f3c5a886d7be8eeee0c7d8431e7789006b1 2286
apache2-mpm-prefork_2.2.16-6+squeeze1_i386.deb
a60529e5cfa444b831baed66a28b24b5428db173 2264
apache2-mpm-event_2.2.16-6+squeeze1_i386.deb
7284a49b8c340b7da945f4aefbb739f5c4ff93fd 2292
apache2-mpm-itk_2.2.16-6+squeeze1_i386.deb
e8312d2c70dab0d19f8af873ec9a8e551fc41567 164536
apache2-utils_2.2.16-6+squeeze1_i386.deb
2e18071980aed261f185b81502be6de1e9bc2cb5 99068
apache2-suexec_2.2.16-6+squeeze1_i386.deb
3f7d76a348e1f840a6fb3642210f04e8a1878483 100566
apache2-suexec-custom_2.2.16-6+squeeze1_i386.deb
242c67d06113f7d073e1cc0aa1c9081218a7a623 1386
apache2_2.2.16-6+squeeze1_i386.deb
31d2964e50faa7ff83dfc63c76ef04f13c579834 137226
apache2-prefork-dev_2.2.16-6+squeeze1_i386.deb
364def8fcaa11bbb5f3743bb118bcbc2bb8aafb0 138352
apache2-threaded-dev_2.2.16-6+squeeze1_i386.deb
f4f269ffcd2ce274024b4ba558d44b0cc028d41d 2678040
apache2-dbg_2.2.16-6+squeeze1_i386.deb
Checksums-Sha256:
61c140ea35b2fb46ec1cd90c17929846dd75a10758ccebe8a00e603c43f09281 1832
apache2_2.2.16-6+squeeze1.dsc
72cdbaf0525b4c956532b308a0344ca7c287eb12759472481ae4affca71b6ed3 6369022
apache2_2.2.16.orig.tar.gz
14fc0bfa43d2038da7a7b677babee764940207446c8f6bdc09b260d0880d5acb 209190
apache2_2.2.16-6+squeeze1.diff.gz
e4ae0b766e4b2e1190db061b990eda8b07f8d2220d0b639fa8a6d1c75de53881 2303700
apache2-doc_2.2.16-6+squeeze1_all.deb
850f628fcf658b38c96e3c99b1efa9e4e13b26ce48b0fde998c9eb441c91cc7f 307314
apache2.2-common_2.2.16-6+squeeze1_i386.deb
a386676a6aeb85d70d871191c978411a9a1d7b215e496839e28eb1403040eebc 1344734
apache2.2-bin_2.2.16-6+squeeze1_i386.deb
9a2db36be4136a1961a2bf20b245fa2660b77b8433e82544d61e9c3c3cf10b15 2230
apache2-mpm-worker_2.2.16-6+squeeze1_i386.deb
7fb4e00c4d9a9522680d7a7eb1dbbc0ea222a58d05a140e0367802a54b21a60e 2286
apache2-mpm-prefork_2.2.16-6+squeeze1_i386.deb
7897e4c9460cd8230c585fc3e10e3d01f6a9ce7e377d5ae034088bf4d9fc430b 2264
apache2-mpm-event_2.2.16-6+squeeze1_i386.deb
a63cdb9e42c936adf9f1a989260553b1946b23cfc2cc5f1fdfc3c9ca3be4723f 2292
apache2-mpm-itk_2.2.16-6+squeeze1_i386.deb
2b2e7a2df2948a8847d475191122e50886fdf8db94e61e8dde6cbd3f2d065b58 164536
apache2-utils_2.2.16-6+squeeze1_i386.deb
083018145152533154002182ac1beeaf9ceff57522798e2f5c34074e875fffd2 99068
apache2-suexec_2.2.16-6+squeeze1_i386.deb
e7b60ac864e02c504ab8fc0f6809b237964e9247e53be4e10295ebf8f6f4f1b0 100566
apache2-suexec-custom_2.2.16-6+squeeze1_i386.deb
062d6e6b2e1ee62572a63094708750d80bf293ea01c8082578a4db876a15f3c8 1386
apache2_2.2.16-6+squeeze1_i386.deb
7724c83b46b7db3f84c13ba43b71e2697b88dda965cb1039bc549df2c80f84b8 137226
apache2-prefork-dev_2.2.16-6+squeeze1_i386.deb
f452bfea034721f4e2c664b6f3eb44cd01dcf453f1fd8962ad0d692ec577114b 138352
apache2-threaded-dev_2.2.16-6+squeeze1_i386.deb
2252a0e9c6f91802b2d811d222d5dac4c9357f34406960d0e9bc02b4eee5883e 2678040
apache2-dbg_2.2.16-6+squeeze1_i386.deb
Files:
d1a15413df1de916cfe69c6648197e38 1832 httpd optional
apache2_2.2.16-6+squeeze1.dsc
7f33f2c8b213ad758c009ae46d2795ed 6369022 httpd optional
apache2_2.2.16.orig.tar.gz
a2a7395e63f1284dda9979a719295e16 209190 httpd optional
apache2_2.2.16-6+squeeze1.diff.gz
664200eb6a38293654ba8e62c02f13fc 2303700 doc optional
apache2-doc_2.2.16-6+squeeze1_all.deb
49e7cb0d04bd56c1802abf06802002ed 307314 httpd optional
apache2.2-common_2.2.16-6+squeeze1_i386.deb
e6951ba32b9fac71c4582607dcaeda3c 1344734 httpd optional
apache2.2-bin_2.2.16-6+squeeze1_i386.deb
7ab34bdf10b1be45a4b80d13bcbf3752 2230 httpd optional
apache2-mpm-worker_2.2.16-6+squeeze1_i386.deb
f6030551007ddf8a9c6e1e90148bc0dc 2286 httpd optional
apache2-mpm-prefork_2.2.16-6+squeeze1_i386.deb
70c50cb39a8fbbde8b714d6ad2796848 2264 httpd optional
apache2-mpm-event_2.2.16-6+squeeze1_i386.deb
c19657ae60adea82e267bcc1889e501c 2292 httpd extra
apache2-mpm-itk_2.2.16-6+squeeze1_i386.deb
e85d039f469f94931f917aca3e9825bc 164536 httpd optional
apache2-utils_2.2.16-6+squeeze1_i386.deb
8cfdac6565588f82af5a8f26523c62aa 99068 httpd optional
apache2-suexec_2.2.16-6+squeeze1_i386.deb
4de001c1b69a6ae629f2b658cdae319c 100566 httpd extra
apache2-suexec-custom_2.2.16-6+squeeze1_i386.deb
b1e59398ce6dbbd1e92453117dc501ac 1386 httpd optional
apache2_2.2.16-6+squeeze1_i386.deb
adc548d8f37f2aebc55aeefc13afb47e 137226 httpd extra
apache2-prefork-dev_2.2.16-6+squeeze1_i386.deb
93b2d7b63b617d094ba0ec542e48472b 138352 httpd extra
apache2-threaded-dev_2.2.16-6+squeeze1_i386.deb
4aeada7bb037ccc56dd79b7bc6eb0d53 2678040 debug extra
apache2-dbg_2.2.16-6+squeeze1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFNiQ2ebxelr8HyTqQRAhh4AKCYSy8LeVaphaZbBmKOptMasYhMkQCfYBy6
8rxNlB0TLmu00A52JH3dTuA=
=wE01
-----END PGP SIGNATURE-----
--- End Message ---
