Your message dated Sun, 24 Sep 2023 19:47:09 +0000
with message-id <[email protected]>
and subject line Bug#1051956: fixed in libapache-mod-jk 1:1.2.48-2+deb12u1
has caused the Debian Bug report #1051956,
regarding libapache-mod-jk: CVE-2023-41081
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1051956: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051956
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libapache-mod-jk
Version: 1:1.2.48-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libapache-mod-jk.
CVE-2023-41081[0]:
| The mod_jk component of Apache Tomcat Connectors in some
| circumstances, such as when a configuration included "JkOptions
| +ForwardDirectories" but the configuration did not provide
| explicit mounts for all possible proxied requests, mod_jk would
| use an implicit mapping and map the request to the first defined
| worker. Such an implicit mapping could result in the unintended
| exposure of the status worker and/or bypass security constraints
| configured in httpd. As of JK 1.2.49, the implicit mapping
| functionality has been removed and all mappings must now be via
| explicit configuration. Only mod_jk is affected by this issue. The
| ISAPI redirector is not affected. This issue affects Apache Tomcat
| Connectors (mod_jk only): from 1.2.0 through 1.2.48. Users are
| recommended to upgrade to version 1.2.49, which fixes the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-41081
https://www.cve.org/CVERecord?id=CVE-2023-41081
[1] https://lists.apache.org/thread/rd1r26w7271jyqgzr4492tooyt583d8b
[2] http://www.openwall.com/lists/oss-security/2023/09/13/2
[3]
https://tomcat.apache.org/security-jk.html#Fixed_in_Apache_Tomcat_JK_Connector_1.2.49
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libapache-mod-jk
Source-Version: 1:1.2.48-2+deb12u1
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libapache-mod-jk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated libapache-mod-jk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 24 Sep 2023 16:40:59 +0200
Source: libapache-mod-jk
Architecture: source
Version: 1:1.2.48-2+deb12u1
Distribution: bookworm
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 1051956
Changes:
libapache-mod-jk (1:1.2.48-2+deb12u1) bookworm; urgency=high
.
* Fix CVE-2023-41081:
The mod_jk component of Apache Tomcat Connectors, an Apache 2 module to
forward requests from Apache to Tomcat, in some circumstances, such as when
a configuration included "JkOptions +ForwardDirectories" but the
configuration did not provide explicit mounts for all possible proxied
requests, mod_jk would use an implicit mapping and map the request to the
first defined worker. Such an implicit mapping could result in the
unintended exposure of the status worker and/or bypass security constraints
configured in httpd. As of this security update, the implicit mapping
functionality has been removed and all mappings must now be via explicit
configuration. This issue affects Apache Tomcat Connectors (mod_jk only).
(Closes: #1051956)
Checksums-Sha1:
a14d6f34c6470c661e2ef17a67aee53e2b709f69 2303
libapache-mod-jk_1.2.48-2+deb12u1.dsc
57a7b6c9d1f0533d52c5266a39cf11d18b412139 61092
libapache-mod-jk_1.2.48-2+deb12u1.debian.tar.xz
020372d857bb06dfd628b494ccf0c96e70af3333 11309
libapache-mod-jk_1.2.48-2+deb12u1_amd64.buildinfo
Checksums-Sha256:
6da38fcdcde8bf8f4a955635e11a1a8c015542d75e0d3edcdb47433490a4321d 2303
libapache-mod-jk_1.2.48-2+deb12u1.dsc
d15998c8f5fcab3bee5ba728d2e8a55de43a8afecd065941b38466f6cfcc5fb8 61092
libapache-mod-jk_1.2.48-2+deb12u1.debian.tar.xz
eebf5608950bd30b6876beb3c146ddbdcb7dc66ca9eef17b908ca1e19ac57993 11309
libapache-mod-jk_1.2.48-2+deb12u1_amd64.buildinfo
Files:
1be6ef54c0271071d4a8d290bc1a4e70 2303 httpd optional
libapache-mod-jk_1.2.48-2+deb12u1.dsc
6cfc7600a6bf46cfdadc66956423720b 61092 httpd optional
libapache-mod-jk_1.2.48-2+deb12u1.debian.tar.xz
77a893f9ab9443f557aa367dad2dde59 11309 httpd optional
libapache-mod-jk_1.2.48-2+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUQXS1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkeJ8QALX0+mG8rAc4aEHgTGykKjCabOVVytzgyS0q
Jmr59i8NiE1PIAaI9f7tVPAhNzan1Q2OI1f3NIj3PvyiavSGv1zrUo8TWgOtehU0
M/rOFot+F3B9RSQqTYC7+xPRI7aJUJTIDSKJGjwogNbB9q27BY7f1O1sKhqqed8l
gOP1J7TvwmSWhfy7zoGwOBZaKIrytOu3mqoTKQ7XGXSz9qxfHjJFGIDoKOuG/HhU
JByTb1YSZ7YczJc6kXp7OTyIPIZ59TUKvZa1hOaKHN4vtKvKD9ro3lAfiiNvtijB
tlPd5JMc22euRjrEtr3ZN9lgbVsMy7VHTV/pVBDWgxaMVsykaTcLct76zlwiAISJ
JeDvyfGR9O3JUqHB4W1H7d6bKxr9JeS0aBmsub7Ms1r8GnPkGd5lgFhNj2IQZw/j
OF20Lx/A9KDFHxxA8OIiSWzVJT/P97fSC0enrPmrdZWY06Rb2Rn9TOZb4eRpdNnV
9XAYpvoLufmWpcFds/VlwuOHoiI+JSUy2KS0Ty+DHO1tvBXjZTwuPOPuAD0vE+I4
NBGtDmTysvPWDGrH5K6PUlst4iP3ab6UxdEMDapf374NyOirIFh9tlZ8xj53gbk/
v19l9mFLiaKg3wJ8yZUq7DvfNytYbk1nf2gb9DGsJrfWqYMRvtgb1js9VVxz/GsO
k2quklTi
=rAIX
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
