Your message dated Thu, 14 Sep 2023 23:05:45 +0000
with message-id <[email protected]>
and subject line Bug#1051956: fixed in libapache-mod-jk 1:1.2.49-1
has caused the Debian Bug report #1051956,
regarding libapache-mod-jk: CVE-2023-41081
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1051956: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051956
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libapache-mod-jk
Version: 1:1.2.48-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libapache-mod-jk.
CVE-2023-41081[0]:
| The mod_jk component of Apache Tomcat Connectors in some
| circumstances, such as when a configuration included "JkOptions
| +ForwardDirectories" but the configuration did not provide
| explicit mounts for all possible proxied requests, mod_jk would
| use an implicit mapping and map the request to the first defined
| worker. Such an implicit mapping could result in the unintended
| exposure of the status worker and/or bypass security constraints
| configured in httpd. As of JK 1.2.49, the implicit mapping
| functionality has been removed and all mappings must now be via
| explicit configuration. Only mod_jk is affected by this issue. The
| ISAPI redirector is not affected. This issue affects Apache Tomcat
| Connectors (mod_jk only): from 1.2.0 through 1.2.48. Users are
| recommended to upgrade to version 1.2.49, which fixes the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-41081
https://www.cve.org/CVERecord?id=CVE-2023-41081
[1] https://lists.apache.org/thread/rd1r26w7271jyqgzr4492tooyt583d8b
[2] http://www.openwall.com/lists/oss-security/2023/09/13/2
[3]
https://tomcat.apache.org/security-jk.html#Fixed_in_Apache_Tomcat_JK_Connector_1.2.49
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libapache-mod-jk
Source-Version: 1:1.2.49-1
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libapache-mod-jk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated libapache-mod-jk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 15 Sep 2023 00:25:01 +0200
Source: libapache-mod-jk
Architecture: source
Version: 1:1.2.49-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 1051956
Changes:
libapache-mod-jk (1:1.2.49-1) unstable; urgency=high
.
* New upstream version 1.2.49.
- Fix CVE-2023-41081:
The mod_jk component of Apache Tomcat Connectors in some circumstances,
such as when a configuration included "JkOptions +ForwardDirectories" but
the configuration did not provide explicit mounts for all possible
proxied requests, mod_jk would use an implicit mapping and map the
request to the first defined worker. Such an implicit mapping could
result in the unintended exposure of the status worker and/or bypass
security constraints configured in httpd. As of JK 1.2.49, the implicit
mapping functionality has been removed and all mappings must now be via
explicit configuration. (Closes: #1051956)
Thanks to Salvatore Bonaccorso for the report.
Checksums-Sha1:
56a34e3f63065b09fe365652ebf36e45ea79f911 2545 libapache-mod-jk_1.2.49-1.dsc
25dd674678c424053bca903298d19a3aa1b19b7a 1702479
libapache-mod-jk_1.2.49.orig.tar.gz
0673e5bfba631803510cf8acfca4f05ab30a2495 873
libapache-mod-jk_1.2.49.orig.tar.gz.asc
8c05751a3d16294caf10ba2cefdf705ffc12defc 60712
libapache-mod-jk_1.2.49-1.debian.tar.xz
f93d4e6e0b85eb12b9108b1229a1c0b9f2ecf13f 11195
libapache-mod-jk_1.2.49-1_amd64.buildinfo
Checksums-Sha256:
2117d18c98b709010d8568e820be14f646c3572a8432e719b3f790f80352053b 2545
libapache-mod-jk_1.2.49-1.dsc
43cb0283c92878e9d4ef110631dbd2beb6b55713c127ce043190b2b308757e9c 1702479
libapache-mod-jk_1.2.49.orig.tar.gz
ba9d62262983873aa780aea48332c98b76f888c95016bb50a6ab7ca7497758e3 873
libapache-mod-jk_1.2.49.orig.tar.gz.asc
f9e2e1542761c272019cea95ec94941c7f1e304c2bbb1ba89dac9f76a1ea5598 60712
libapache-mod-jk_1.2.49-1.debian.tar.xz
b4db2e846ded617f7d58d3edf786b7614d45f01989d883615cea63aafe617e4f 11195
libapache-mod-jk_1.2.49-1_amd64.buildinfo
Files:
4ce3ac9cb2a85103cdc802b56635f36a 2545 httpd optional
libapache-mod-jk_1.2.49-1.dsc
305f10b491c38f7e9615e832c2f4f336 1702479 httpd optional
libapache-mod-jk_1.2.49.orig.tar.gz
b7242bca860d92831f9b19d65eba3656 873 httpd optional
libapache-mod-jk_1.2.49.orig.tar.gz.asc
ebe4ce95bba98d2c55d16396d5a75a2b 60712 httpd optional
libapache-mod-jk_1.2.49-1.debian.tar.xz
6852a91e8d1d3718e19a4eb448e4f656 11195 httpd optional
libapache-mod-jk_1.2.49-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUDjERfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkgWwP/1EqT4bPb6T1qNC/LF39b8wQSSbONby+XVph
NsSBswkx/CPbUY3ZGviCgoZVC3StdzHpc+nQbCjgp0pWJlw7ut0/4Dzv2zw5wILP
t79rjN+SciqpiRz1lU/h/B2swQUUXlzTgaRvpJ4Ke7Vqyx99lAokmeXt8RJLQECQ
U0LRFb54Siq6p4hldwwkAb4l1l8Qro+2IwDxaxHvobD1aAkmD9ipSGE0hET7iDQW
cquuCxu1lMs02eNQ6nHba5yaCboJgjArhdnYwwn1+1oZMuiZLEcv4E6LbJzCFnp0
PoD3ejzdJOjXjgRZEFj2xquBXlvTDoAT2t0X+S910AemjwwM4OmsmwgsKWUH0IkQ
Q9yveqcn/uAXjXV3C/e+bbQY53eiCQzyZjlA1bKaCKVgBq3kO38Rpkop/pR5sSSK
xpRGDlP7FLw9l1ZlcwdhHGzoKCVK5a9nteHFUswtkHxqbs86C7W24fjvK0LlM5L1
KonizwskPWQ1N0+l536XBpsvH6F/znTpGKcMC109FdSwGWONtUztSnvIdyG0iKTY
8YeauK0ULYhGTwaVn1nT1NCh39BpZNPSOG+l94DwtMtsKsJCQbjuXECtyFtgOSdl
rznjJ8Wjz2s1+8aiSQkdDXVq+r7APE5wszY04+zohc00C0LcwN4zK1XpQU2XqUWN
mnTb3e3L
=bqn+
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
