New! Vulnerability Priority Rating (VPR)
Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.
VPR Score: 4.4
SynopsisThe remote Debian host is missing a security-related update.
DescriptionIt was discovered that the Apache web server did not properly handle the 'Options=' parameter to the AllowOverride directive :
- In the stable distribution (lenny), local users could (via .htaccess) enable script execution in Server Side Includes even in configurations where the AllowOverride directive contained only Options=IncludesNoEXEC.
- In the oldstable distribution (etch), local users could (via .htaccess) enable script execution in Server Side Includes and CGI script execution in configurations where the AllowOverride directive contained any 'Options=' value.
The oldstable distribution (etch), this problem has been fixed in version 2.2.3-4+etch8.
SolutionUpgrade the apache2 packages.
For the stable distribution (lenny), this problem has been fixed in version 2.2.9-10+lenny3.
This advisory also provides updated apache2-mpm-itk packages which have been recompiled against the new apache2 packages (except for the s390 architecture where updated packages will follow shortly).