envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse DSO in the current working directory during execution of apachectl.
http://lists.opensuse.org/opensuse-updates/2013-02/msg00009.html
http://lists.opensuse.org/opensuse-updates/2013-02/msg00012.html
http://marc.info/?l=bugtraq&m=134012830914727&w=2
http://secunia.com/advisories/48849
https://exchange.xforce.ibmcloud.com/vulnerabilities/74901
https://httpd.apache.org/security/vulnerabilities_24.html