Bug#523054: marked as done (libapache2-mod-jk: [SECURITY] CVE-2008-5519: Apache Tomcat mod_jk)

Fri, 03 Jul 2009 13:43:09 -0700 

Your message dated Fri, 03 Jul 2009 19:54:31 +0000
with message-id <e1mmoq7-0008wa...@ries.debian.org>
and subject line Bug#523054: fixed in libapache-mod-jk 1:1.2.18-3etch2
has caused the Debian Bug report #523054,
regarding libapache2-mod-jk: [SECURITY] CVE-2008-5519: Apache Tomcat mod_jk
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
523054: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523054
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: libapache2-mod-jk
Version: 1:1.2.26-2
Severity: grave
Tags: security
Justification: user security hole

The Apache Tomcat Security Team has released the following advisory :

  Vulnerability announcement:
  CVE-2008-5519: Apache Tomcat mod_jk information disclosure vulnerability

  Severity: important

  Vendor: The Apache Software Foundation

  Versions Affected:
  mod_jk 1.2.0 to 1.2.26

  Description:
  Situations where faulty clients set Content-Length without providing
  data, or where a user submits repeated requests very quickly may permit
  one user to view the response associated with a different user's request.

  Mitigation:
  Upgrade to mod_jk 1.2.27 or later

  Example:
  See description

  Credit:
  This issue was discovered by the Red Hat Security Response Team

  References:
  http://tomcat.apache.org/security.html
  http://tomcat.apache.org/security-jk.html

-- 
Damien Raude-Morvan

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: libapache-mod-jk
Source-Version: 1:1.2.18-3etch2

We believe that the bug you reported is fixed in the latest version of
libapache-mod-jk, which is due to be installed in the Debian FTP archive:

libapache-mod-jk-doc_1.2.18-3etch2_all.deb
  to pool/main/liba/libapache-mod-jk/libapache-mod-jk-doc_1.2.18-3etch2_all.deb
libapache-mod-jk_1.2.18-3etch2.diff.gz
  to pool/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2.diff.gz
libapache-mod-jk_1.2.18-3etch2.dsc
  to pool/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2.dsc
libapache-mod-jk_1.2.18-3etch2_i386.deb
  to pool/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2_i386.deb
libapache2-mod-jk_1.2.18-3etch2_i386.deb
  to pool/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.18-3etch2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 523...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <s...@debian.org> (supplier of updated libapache-mod-jk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 30 May 2009 21:18:12 +0200
Source: libapache-mod-jk
Binary: libapache-mod-jk libapache2-mod-jk libapache-mod-jk-doc
Architecture: source all i386
Version: 1:1.2.18-3etch2
Distribution: oldstable-security
Urgency: high
Maintainer: Debian Java Maintainers 
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Stefan Fritsch <s...@debian.org>
Description: 
 libapache-mod-jk - Apache 1.3 connector for the Tomcat Java servlet engine
 libapache-mod-jk-doc - Documentation of libapache-mod-jk/libapache2-mod-jk 
packages
 libapache2-mod-jk - Apache 2 connector for the Tomcat Java servlet engine
Closes: 523054
Changes: 
 libapache-mod-jk (1:1.2.18-3etch2) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the security-team.
   * CVE-2008-5519: Fix information disclosure vulnerability when clients
     abort connection before sending POST body (closes: #523054).
Files: 
 dc3dd860d8c7a2710943903b485b1afa 935 web optional 
libapache-mod-jk_1.2.18-3etch2.dsc
 889ac12a51c93772cefad6af5225f7f7 11556 web optional 
libapache-mod-jk_1.2.18-3etch2.diff.gz
 028881fdbf37c27de6fa3edd8fbd05c4 89482 web optional 
libapache-mod-jk_1.2.18-3etch2_i386.deb
 92d553ae68620971f9b81d81400cc7aa 93386 web optional 
libapache2-mod-jk_1.2.18-3etch2_i386.deb
 04190ed8b2fc8fea1bf98b1b1df14e9b 118140 doc optional 
libapache-mod-jk-doc_1.2.18-3etch2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKIuMlbxelr8HyTqQRAo1aAKCBeMxrd5Z+tYSmX/r77a6OwgvXJwCgrQRW
ACdEG4o/KSqFFtWEk5fpT/o=
=GfaC
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to