[mpm-itk] mpm-itk version 2.2.17-01 released

Steinar H. Gunderson sgunderson at bigfoot.com
Mon Mar 21 21:46:11 CET 2011


I've just released mpm-itk 2.2.17-01. This is a maintenance release with no
new features, but a few important bugfixes, in particular for CVE-2011-1176.
The changelog reads:

  apache2.2-mpm-itk 2.2.17-01, released 2011-03-21:
    * Fixed CVE-2011-1176: If NiceValue was set, the default with no
      AssignUserID was to run as root:root instead of the default Apache user
      and group, due to the configuration merger having an incorrect default
    * Rebase against Apache 2.2.17.
    * Fix an issue where users can sometimes get spurious 403s on persistent
      connections, if the .htaccess files are not world readable.
    * In the config merger, don't reallocate the username, since it's already
      in the correct pool. (This is not a memory leak, only a small inefficiency.)

Everybody is recommended to upgrade, in particular because of the
CVE-2011-1176 bugfix. (If you want the smallest change possible, the email
about the bug included a minimal diff that do not include the other changes.)

The patch itself is as always available from http://mpm-itk.sesse.net/ .

/* Steinar */
Homepage: http://www.sesse.net/

More information about the mpm-itk mailing list