Your message dated Tue, 09 Jun 2015 18:20:41 +0000
with message-id <[email protected]>
and subject line Bug#783233: fixed in libapache-mod-jk 1:1.2.30-1squeeze2
has caused the Debian Bug report #783233,
regarding CVE-2014-8111: mod_jk ignores JkUnmount rules for subtrees of
previous JkMount rules
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
783233: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783233
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libapache-mod-jk
Severity: serious
Tags: security
Hi,
the following vulnerability was published for libapache-mod-jk.
CVE-2014-8111[0]:
| Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount
| rules for subtrees of previous JkMount rules, which allows remote
| attackers to access otherwise restricted artifacts via unspecified
| vectors.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-8111
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8111
Please adjust the affected versions in the BTS as needed.
The upstream fix is here: http://svn.apache.org/r1647017
Feel freet to lower the severiy if you believe the issue to be minor. I'm
not familiar enough with the software to be able to judge.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
--- End Message ---
--- Begin Message ---
Source: libapache-mod-jk
Source-Version: 1:1.2.30-1squeeze2
We believe that the bug you reported is fixed in the latest version of
libapache-mod-jk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated libapache-mod-jk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 30 May 2015 14:54:17 +0200
Source: libapache-mod-jk
Binary: libapache2-mod-jk libapache-mod-jk-doc
Architecture: source amd64 all
Version: 1:1.2.30-1squeeze2
Distribution: squeeze-lts
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Description:
libapache-mod-jk-doc - Documentation of libapache2-mod-jk package
libapache2-mod-jk - Apache 2 connector for the Tomcat Java servlet engine
Closes: 783233
Changes:
libapache-mod-jk (1:1.2.30-1squeeze2) squeeze-lts; urgency=high
.
* Team upload.
* Add CVE-2014-8111.patch. (Closes: #783233)
It was discovered that a JkUnmount rule for a subtree of a previous JkMount
rule could be ignored. This could allow a remote attacker to potentially
access a private artifact in a tree that would otherwise not be accessible
to them.
- Add option to control handling of multiple adjacent slashes in mount and
unmount. New default is collapsing the slashes only in unmount. Before
this change, adjacent slashes were never collapsed, so most mounts and
unmounts didn't match for URLs with multiple adjacent slashes.
- Configuration is done via new JkOption for Apache (values
"CollapseSlashesAll", "CollapseSlashesNone" or "CollapseSlashesUnmount").
Checksums-Sha1:
8d5dddce79011cfc20ae3d2baa997d07df295b58 1744
libapache-mod-jk_1.2.30-1squeeze2.dsc
b57591b951087d9502598b7ed6a018afa6169bba 27160
libapache-mod-jk_1.2.30-1squeeze2.debian.tar.gz
6c98e16119527b77689bf085de24823bb62e6352 149872
libapache2-mod-jk_1.2.30-1squeeze2_amd64.deb
5d0fdbb12a79936035ca3a44ca46ded0467ab67c 198866
libapache-mod-jk-doc_1.2.30-1squeeze2_all.deb
Checksums-Sha256:
227bb12286f4c8fdfd4028c61c486ed2a4feebd5898349ea2a6dab4c60bf307d 1744
libapache-mod-jk_1.2.30-1squeeze2.dsc
74ae308272d61c1576d3ab462746ae43cdb13660e5a9056e42ab6f25ceefb80e 27160
libapache-mod-jk_1.2.30-1squeeze2.debian.tar.gz
31284d2e5f591e74bf6fe0b8299bd97be995c2c0e7355b48219514debffeb7a0 149872
libapache2-mod-jk_1.2.30-1squeeze2_amd64.deb
6019a3dd06d098cd0d155b3c4994424423df4fa8f57cca8179a2a2f7428372b2 198866
libapache-mod-jk-doc_1.2.30-1squeeze2_all.deb
Files:
451bdd8c8783af9d5c5b4fe2b3e798ba 1744 web optional
libapache-mod-jk_1.2.30-1squeeze2.dsc
51cefd9cfeccbcb9a7536e321f5755be 27160 web optional
libapache-mod-jk_1.2.30-1squeeze2.debian.tar.gz
4bf17109c88f5c3da583fb884b37e66b 149872 web optional
libapache2-mod-jk_1.2.30-1squeeze2_amd64.deb
f05811464da69440a2d257127981e0af 198866 doc optional
libapache-mod-jk-doc_1.2.30-1squeeze2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Signed by Raphael Hertzog
iQEcBAEBCAAGBQJVdxE8AAoJEAOIHavrwpq50cUH/0oqxdFCWbHJ3DuFH+QuyjEv
EkT9j6mmbsuBl4ZQuF408SjvWzd/51KGgh2NYriN4WKLNgGOqznHPxAAwsfRciT8
WxwbUgCG0UMbM0WjzMuoZH4BvI/Wa6oeOA292dgO8GB3oZhTQGwVcuqftLrlnaIu
jT/S8CYaHeVHSLW3lrZ0oc6JwX1dq6VDkZ39bcH1SR7pq0fqLCcqux3UpToba9Fb
gmFrgzMxHRAAKMoDkZSPbSpONtuKMZsoWclxDG0FHmE1B92Gvl+xg9r/H1Yh+9VJ
yaHmGRGn39oIDsG0xPQHKef8+pADYEuIUJ3PN4lxRMT6MotJjbjDvgdoTZBA9YQ=
=eop/
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
