Date: Mon, 01 Apr 2019 20:31:24 -0500 From: Daniel Ruggeri <druggeri@...che.org> To: oss-security@...ts.openwall.com Subject: CVE-2019-0211: Apache HTTP Server privilege escalation from modules' scripts CVE-2019-0211: Apache HTTP Server privilege escalation from modules' scripts Severity: important Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.17 to 2.4.38 Description: In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected. Mitigation: All httpd users running MPM event, worker or prefork should upgrade to 2.4.39 or later. Credit: The issue was discovered by Charles Fol. References: https://httpd.apache.org/security/vulnerabilities_24.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.