Your message dated Sun, 24 Sep 2023 19:47:33 +0000
with message-id <[email protected]>
and subject line Bug#1051956: fixed in libapache-mod-jk 1:1.2.48-1+deb11u1
has caused the Debian Bug report #1051956,
regarding libapache-mod-jk: CVE-2023-41081
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1051956: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051956
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libapache-mod-jk
Version: 1:1.2.48-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libapache-mod-jk.
CVE-2023-41081[0]:
| The mod_jk component of Apache Tomcat Connectors in some
| circumstances, such as when a configuration included "JkOptions
| +ForwardDirectories" but the configuration did not provide
| explicit mounts for all possible proxied requests, mod_jk would
| use an implicit mapping and map the request to the first defined
| worker. Such an implicit mapping could result in the unintended
| exposure of the status worker and/or bypass security constraints
| configured in httpd. As of JK 1.2.49, the implicit mapping
| functionality has been removed and all mappings must now be via
| explicit configuration. Only mod_jk is affected by this issue. The
| ISAPI redirector is not affected. This issue affects Apache Tomcat
| Connectors (mod_jk only): from 1.2.0 through 1.2.48. Users are
| recommended to upgrade to version 1.2.49, which fixes the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-41081
https://www.cve.org/CVERecord?id=CVE-2023-41081
[1] https://lists.apache.org/thread/rd1r26w7271jyqgzr4492tooyt583d8b
[2] http://www.openwall.com/lists/oss-security/2023/09/13/2
[3]
https://tomcat.apache.org/security-jk.html#Fixed_in_Apache_Tomcat_JK_Connector_1.2.49
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libapache-mod-jk
Source-Version: 1:1.2.48-1+deb11u1
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libapache-mod-jk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated libapache-mod-jk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 24 Sep 2023 17:09:51 +0200
Source: libapache-mod-jk
Architecture: source
Version: 1:1.2.48-1+deb11u1
Distribution: bullseye
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 1051956
Changes:
libapache-mod-jk (1:1.2.48-1+deb11u1) bullseye; urgency=high
.
* Fix CVE-2023-41081:
The mod_jk component of Apache Tomcat Connectors, an Apache 2 module to
forward requests from Apache to Tomcat, in some circumstances, such as when
a configuration included "JkOptions +ForwardDirectories" but the
configuration did not provide explicit mounts for all possible proxied
requests, mod_jk would use an implicit mapping and map the request to the
first defined worker. Such an implicit mapping could result in the
unintended exposure of the status worker and/or bypass security constraints
configured in httpd. As of this security update, the implicit mapping
functionality has been removed and all mappings must now be via explicit
configuration. This issue affects Apache Tomcat Connectors (mod_jk only).
(Closes: #1051956)
Checksums-Sha1:
7b98ce89cf68f3675dcd4bc5695fb722e5e1407b 2302
libapache-mod-jk_1.2.48-1+deb11u1.dsc
0f6a8acd0caaf53a4d57ccce03b42575212a13ae 61032
libapache-mod-jk_1.2.48-1+deb11u1.debian.tar.xz
21999a24525942d16874136b0a042d0d7577a41d 10578
libapache-mod-jk_1.2.48-1+deb11u1_amd64.buildinfo
Checksums-Sha256:
b721bfbbc000b834b284ec6a7e330debe645842ecb9422eda9fa990709cf1ac7 2302
libapache-mod-jk_1.2.48-1+deb11u1.dsc
2201ba8a3bb20fa88dfeda7229eaa310ba88dccfb5c140c616040b9c2275dae4 61032
libapache-mod-jk_1.2.48-1+deb11u1.debian.tar.xz
fff3b9e880aff99ac1b87304d6b03b3ccb34e1354ab12cd63cba93a28cd8c3d4 10578
libapache-mod-jk_1.2.48-1+deb11u1_amd64.buildinfo
Files:
2ceb462fee30fd419e7d6afd4225dcdc 2302 httpd optional
libapache-mod-jk_1.2.48-1+deb11u1.dsc
362b4e36beff92cbd22cf617fe7ea77a 61032 httpd optional
libapache-mod-jk_1.2.48-1+deb11u1.debian.tar.xz
437874e82a498fcf2945e5cdc16e1d86 10578 httpd optional
libapache-mod-jk_1.2.48-1+deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUQXc5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkIF0QALrFRHoK7a5ZN6/wTDCXcc1U2vCdWWc57WCP
R79J1X7l5BCYil85RdiCqMqAq3QWEvdTJN6qNm7U+M1J+YNpWK4EO/WzQqUqWNAL
BG/vHaL0dQpdbr1e25EB5QXF21CpjtULFil7kLSDvQxpNbmJeNdZpgG8RThBeXsc
FOpOXuuEVXcscOcNZQSFwH7nCxXipVmLMUJn/JQIY7PUkSD7CPGVJ2pzrhVjfJ8v
K3fjrsj9yQlIUNLd4MJtETWFUf7ZtV4+W7uIbiYlJBtHG7AdHeLaj/Oav6EuvVph
EH6Lj2BTEsQuL+EuKRxCYNQpt4e40QJbyhQIqqSvhGUNpQAEjJSZ7qXxniv9GyNs
2a5GX75xfdl1BUclmNbRltICcGEHUoBvDmv+0nABKKr/J/DbVjIC2B5g9AHxqP2F
vD3fLegYY/pSR5s8ZkEqpDcMKJbDnpVluhxhbTvshV62nvJMKqnIr9jpZUOsx8fU
X04ojz69ZJH2RndSRPRcozbNtN4pPqhEEuYxfctQ0zdGOUyuX1OguSheFsrYQyO4
Bp4LzutUctL0uE9UjcOhHkNOyGyPDQAgBmZPTXBrfzGpO1nL8q/jcZa5oJ2p6YgL
8clRyhHcrI/spBFn7R59tL3quGZHyW3h+5bQNgW/VtkMey7bhiUH1lmz3cLAQUUS
FvkTjdjR
=VaAx
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
