From chris at webarchitects.co.uk  Wed Apr  3 09:36:43 2019
From: chris at webarchitects.co.uk (Chris Croome)
Date: Wed, 3 Apr 2019 07:36:43 +0000
Subject: [mpm-itk] Apache HTTP Server privilege escalation from modules'
 scripts (CVE-2019-0211)
Message-ID: <20190403073642.akizj3t2oey5a4oa@webarch.email>

Hi

Does this have an impact on servers running ITK MPM and Apache less than
2.4.39?

> In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event,
> worker or prefork, code executing in less-privileged child processes
> or threads (including scripts executed by an in-process scripting
> interpreter) could execute arbitrary code with the privileges of the
> parent process (usually root) by manipulating the scoreboard. Non-Unix
> systems are not affected.
>
> https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-0211

All the best

Chris

-- 
Webarchitects Co-operative
http://webarchitects.coop/
+44 114 276 9709
@webarchcoop



From sgunderson at bigfoot.com  Wed Apr  3 10:11:19 2019
From: sgunderson at bigfoot.com (Steinar H. Gunderson)
Date: Wed, 3 Apr 2019 10:11:19 +0200
Subject: [mpm-itk] Apache HTTP Server privilege escalation from modules'
 scripts (CVE-2019-0211)
In-Reply-To: <20190403073642.akizj3t2oey5a4oa@webarch.email>
References: <20190403073642.akizj3t2oey5a4oa@webarch.email>
Message-ID: <20190403081119.wjgcybckze6gcdyz@sesse.net>

On Wed, Apr 03, 2019 at 07:36:43AM +0000, Chris Croome wrote:
> Does this have an impact on servers running ITK MPM and Apache less than
> 2.4.39?

I haven't checked, but I would assume that mpm-itk does not isolate you from
this vulnerability, no. (Ie., the scoreboard is still writable after suid.)
You won't need to upgrade mpm-itk itself, but you'll need to upgrade Apache.

/* Steinar */
-- 
Homepage: https://www.sesse.net/