Your message dated Fri, 22 May 2015 05:18:52 +0000
with message-id <e1yvfmc-0006kr...@franck.debian.org>
and subject line Bug#783233: fixed in libapache-mod-jk 1:1.2.40+svn150520-1
has caused the Debian Bug report #783233,
regarding CVE-2014-8111: mod_jk ignores JkUnmount rules for subtrees of 
previous JkMount rules
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
783233: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783233
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libapache-mod-jk
Severity: serious 
Tags: security

Hi,

the following vulnerability was published for libapache-mod-jk.

CVE-2014-8111[0]:
| Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount
| rules for subtrees of previous JkMount rules, which allows remote
| attackers to access otherwise restricted artifacts via unspecified
| vectors.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-8111
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8111
    Please adjust the affected versions in the BTS as needed.

The upstream fix is here: http://svn.apache.org/r1647017

Feel freet to lower the severiy if you believe the issue to be minor. I'm
not familiar enough with the software to be able to judge.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

--- End Message ---
--- Begin Message ---
Source: libapache-mod-jk
Source-Version: 1:1.2.40+svn150520-1

We believe that the bug you reported is fixed in the latest version of
libapache-mod-jk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 783...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <a...@gambaru.de> (supplier of updated libapache-mod-jk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 21 May 2015 17:53:24 +0200
Source: libapache-mod-jk
Binary: libapache2-mod-jk libapache-mod-jk-doc
Architecture: source all amd64
Version: 1:1.2.40+svn150520-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <a...@gambaru.de>
Description:
 libapache-mod-jk-doc - Documentation of libapache2-mod-jk package
 libapache2-mod-jk - Apache 2 connector for the Tomcat Java servlet engine
Closes: 783233
Changes:
 libapache-mod-jk (1:1.2.40+svn150520-1) unstable; urgency=high
 .
   * Team upload.
   * Imported Upstream SVN snapshot version 1.2.40+svn150520.
     - Fix CVE-2014-8111: (Closes: #783233)
       Apache Tomcat Connectors (mod_jk) ignored JkUnmount rules for subtrees of
       previous JkMount rules, which allows remote attackers to access otherwise
       restricted artifacts via unspecified vectors.
   * debian/control: Build-Depend on debhelper >= 9.
   * Remove source.lintian-overrides since we now build-depend on debhelper >=9.
   * Drop 0004-corrupted-worker-activation-status.patch. Fixed upstream.
   * debian/rules:
     - Disable sed command in debian/rules. Apparently not necessary for this
       release.
     - Run buildconf.sh before dh_auto_configure step since this is a 
requirement
       for building SVN snapshots.
     - Update dh_auto_clean override. Ensure that the package can be built twice
       in a row.
   * debian/control:
     - Add autoconf to Build-Depends.
     - Add automake to Build-Depends.
     - Remove Conflicts and Replaces fields because they are obsolete.
   * Add disable-libtool-check.patch and fix a FTBFS. We already build-depend on
     libtool but the script is not smart enough.
   * Add fix-privacy-breach.patch and fix lintian errors about "privacy breach
     logo".
   * Update debian/copyright information. Add missing BSD-3-clause license.
   * Add README.source.
Checksums-Sha1:
 02223ab09d0ac9f826d6a7db1e04058a951b69e7 2254 
libapache-mod-jk_1.2.40+svn150520-1.dsc
 e6b595d75a3767d2ec228506b801ec6c1f90b7b8 1045078 
libapache-mod-jk_1.2.40+svn150520.orig.tar.gz
 479ad05498daad7438b9f15e6041141f83f33bbc 10872 
libapache-mod-jk_1.2.40+svn150520-1.debian.tar.xz
 0ce1145629a7a99b2823a7c02197b045ccf4dd59 175898 
libapache-mod-jk-doc_1.2.40+svn150520-1_all.deb
 7d93a052f5a9eb2132a835cb7eff8abcd9541362 163466 
libapache2-mod-jk_1.2.40+svn150520-1_amd64.deb
Checksums-Sha256:
 e8b76f655b5c30ef8693711c39888f2917b6a400360c68db3ccdcbb2e11fab83 2254 
libapache-mod-jk_1.2.40+svn150520-1.dsc
 883967f985505a77c9dc0802e733785a92a12e8cab1f04bab959d1b1b7d1dc73 1045078 
libapache-mod-jk_1.2.40+svn150520.orig.tar.gz
 59545ce6e726ac8acd461510796c6ed547090632066a566fd46bef231ccd9325 10872 
libapache-mod-jk_1.2.40+svn150520-1.debian.tar.xz
 ca6d67e437bcf8ff67894123b6826a8994132dba4efeb33d9a8b383d2d0ac75c 175898 
libapache-mod-jk-doc_1.2.40+svn150520-1_all.deb
 8a1d960fa25006c1c91b69fd4a240143ccdd758fbcb3851cb7f361c1600d50ae 163466 
libapache2-mod-jk_1.2.40+svn150520-1_amd64.deb
Files:
 25762e31365b75121063590c0322bffc 2254 httpd optional 
libapache-mod-jk_1.2.40+svn150520-1.dsc
 73e6d5ae79169578b053f190d7913604 1045078 httpd optional 
libapache-mod-jk_1.2.40+svn150520.orig.tar.gz
 409e1f2cb6a2933e72be26d92d311f4c 10872 httpd optional 
libapache-mod-jk_1.2.40+svn150520-1.debian.tar.xz
 fb1e64506b82a90b7f031b4233eaa38c 175898 doc optional 
libapache-mod-jk-doc_1.2.40+svn150520-1_all.deb
 486138d37185cbc4951384723eba3f95 163466 httpd optional 
libapache2-mod-jk_1.2.40+svn150520-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVXrhrAAoJECHSBYmXSz6WilMP/3R+30lZOUhvG6aDQemfCSNl
RzWUxMK8EuujDGPVY58Zra/4MpAJ1oGXHvwSTtsiE6snXhW/f35MmvNyUVVohnFQ
2nNLm/kaKsRxsRrdT7XrYApAlWbliJZy3uAiTWW48ObPQYmzePQWfFheVt0dXDrQ
2EdiCMeSQQ14+G5iu3u70b89Hqu/JVVhI5JGOePsYP6ZHycJSMdjHkvqTBg6p7YM
O77cef6EDFGsOMBhMD9EtXTVUejv8ZIZvE862itiKCWOpgtkAOHZ4Xc8XJyxrrIJ
xYwTYdwaqHSFgnpxgDl75PY0x4VMIsi/wL68l/aFvQ0jNkP6IRYqXSzOSKZSJFN/
NI57hHg3WtTwIPqg71Tcql9o4mPBga41tww940IHfr1gD1KfOnGqLCHNvXudym0z
wpQEWe+8j24q2MneANMXGJKgTgtWz4Z+9KgkGCdn9qBZDbZxeUcswrw4XVABrfqg
5Vli509X4p80EpOLFqPgcAlbfDo3JSyvl06aBMbQtus5JRhbPXMoZluC49tAOsU2
GmiajyuYKguLgVeqVOYiS2U3QrzC2nOHIt/02q8SpBGpIza8MHj0zuKCqAHnVxWS
QeiZ4D66LFaZeg7ctSMOZwCXANXZNSJDbfNLBYAJpzKJUyO8LiEyG8DgDegmoXw7
z9y23yhKBgQhE3HlnUZM
=tHFm
-----END PGP SIGNATURE-----

--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to