Richard Thrippleton

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server version 1.3.34-4 **Description** The issue arises from the Debian GNU/Linux patch for the Apache HTTP Server, which fails to properly disassociate httpd from a controlling tty when started interactively. This allows local users to gain privileges to that tty via a CGI program that calls the TIOCSTI ioctl. **Recommendations** For Apache HTTP Server version 1.3.34-4, consider disabling interactive starts of httpd or restricting the use of CGI programs that call the TIOCSTI ioctl until a proper fix is applied.