Bug#523054: marked as done (libapache2-mod-jk: [SECURITY] CVE-2008-5519: Apache Tomcat mod_jk)

Debian Bug Tracking System Sat, 30 May 2009 08:49:11 -0700

Your message dated Sat, 30 May 2009 15:33:42 +0000
with message-id <[email protected]>
and subject line Bug#523054: fixed in libapache-mod-jk 1:1.2.26-2.1
has caused the Debian Bug report #523054,
regarding libapache2-mod-jk: [SECURITY] CVE-2008-5519: Apache Tomcat mod_jk
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
523054: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523054
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: libapache2-mod-jk
Version: 1:1.2.26-2
Severity: grave
Tags: security
Justification: user security hole

The Apache Tomcat Security Team has released the following advisory :

  Vulnerability announcement:
  CVE-2008-5519: Apache Tomcat mod_jk information disclosure vulnerability

  Severity: important

  Vendor: The Apache Software Foundation

  Versions Affected:
  mod_jk 1.2.0 to 1.2.26

  Description:
  Situations where faulty clients set Content-Length without providing
  data, or where a user submits repeated requests very quickly may permit
  one user to view the response associated with a different user's request.

  Mitigation:
  Upgrade to mod_jk 1.2.27 or later

  Example:
  See description

  Credit:
  This issue was discovered by the Red Hat Security Response Team

  References:
  http://tomcat.apache.org/security.html
  http://tomcat.apache.org/security-jk.html

-- 
Damien Raude-Morvan

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

Source: libapache-mod-jk
Source-Version: 1:1.2.26-2.1

We believe that the bug you reported is fixed in the latest version of
libapache-mod-jk, which is due to be installed in the Debian FTP archive:

libapache-mod-jk-doc_1.2.26-2.1_all.deb
  to pool/main/liba/libapache-mod-jk/libapache-mod-jk-doc_1.2.26-2.1_all.deb
libapache-mod-jk_1.2.26-2.1.diff.gz
  to pool/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.26-2.1.diff.gz
libapache-mod-jk_1.2.26-2.1.dsc
  to pool/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.26-2.1.dsc
libapache2-mod-jk_1.2.26-2.1_i386.deb
  to pool/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <[email protected]> (supplier of updated libapache-mod-jk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 30 May 2009 15:49:20 +0200
Source: libapache-mod-jk
Binary: libapache2-mod-jk libapache-mod-jk-doc
Architecture: source i386 all
Version: 1:1.2.26-2.1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers 
<[email protected]>
Changed-By: Stefan Fritsch <[email protected]>
Description: 
 libapache-mod-jk-doc - Documentation of libapache2-mod-jk package
 libapache2-mod-jk - Apache 2 connector for the Tomcat Java servlet engine
Closes: 523054
Changes: 
 libapache-mod-jk (1:1.2.26-2.1) unstable; urgency=high
 .
   * Non-maintainer upload by the security-team.
   * CVE-2008-5519: Fix information disclosure vulnerability when clients
     abort connection before sending POST body (closes: #523054).
Checksums-Sha1: 
 4c90427862aed848218116355a89d2a39026dd14 1316 libapache-mod-jk_1.2.26-2.1.dsc
 6418f610c7b673e980d55add2182adb4462920ed 12303 
libapache-mod-jk_1.2.26-2.1.diff.gz
 6c121b29a6342c731815862c00fa537e1e184960 109712 
libapache2-mod-jk_1.2.26-2.1_i386.deb
 26d266d05adc28b977922b149020c643c1fd3c8a 174676 
libapache-mod-jk-doc_1.2.26-2.1_all.deb
Checksums-Sha256: 
 3e27e26f7818bad7d2a77d494131525bd8f1bd6034ba8d700207382c0c7d25d1 1316 
libapache-mod-jk_1.2.26-2.1.dsc
 b0a7849da9bdbbd9dce80555e53d216ad44cf933961404b67dd28a8c2b3afd01 12303 
libapache-mod-jk_1.2.26-2.1.diff.gz
 38194e2f73355397818f9bbb70932cccbe441285f3accd1f808ad3f96581b032 109712 
libapache2-mod-jk_1.2.26-2.1_i386.deb
 74f191cee92519b7ff13cb661c8b3b37572c4e69d418743b6c1928e7b76ca03c 174676 
libapache-mod-jk-doc_1.2.26-2.1_all.deb
Files: 
 517d6349b997afd1a23999a5e76dbd51 1316 web optional 
libapache-mod-jk_1.2.26-2.1.dsc
 f8ef641c2b6e349afcecabb9533369a1 12303 web optional 
libapache-mod-jk_1.2.26-2.1.diff.gz
 081f3cda134c3064cdecd818f73ec150 109712 web optional 
libapache2-mod-jk_1.2.26-2.1_i386.deb
 eb1db795a63b188a72fd253eebb2fd3e 174676 doc optional 
libapache-mod-jk-doc_1.2.26-2.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKITzSbxelr8HyTqQRAgRAAJ41tGkz+998h5r3Ph9fvQ4VCmUbOQCglLbj
PPJVLoPaCkwusWUqOuA7AKw=
=GS3F
-----END PGP SIGNATURE-----

--- End Message ---

Bug#523054: marked as done (libapache2-mod-jk: [SECURITY] CVE-2008-5519: Apache Tomcat mod_jk)

Reply via email to