On Fri, 24 Apr 2015 12:11:40 +0200 Raphael Hertzog <hert...@debian.org>
wrote:
> Source: libapache-mod-jk
> Severity: serious 
> Tags: security
> 
> Hi,
> 
> the following vulnerability was published for libapache-mod-jk.
> 
> CVE-2014-8111[0]:
> | Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount
> | rules for subtrees of previous JkMount rules, which allows remote
> | attackers to access otherwise restricted artifacts via unspecified
> | vectors.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2014-8111
>     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8111
>     Please adjust the affected versions in the BTS as needed.
> 
> The upstream fix is here: http://svn.apache.org/r1647017
> 
> Feel freet to lower the severiy if you believe the issue to be minor. I'm
> not familiar enough with the software to be able to judge.

This bug is only fixed in upstream's version control system. Version
1.2.41 hasn't been released yet.

If nobody has any objections, I'm going ahead and package a SVN snapshot
of libapache-mod-jk. I will also try to fix the version in wheezy and
possibly squeeze.

Markus

Attachment: signature.asc
Description: OpenPGP digital signature

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to