On 07.10.2016 14:15, Salvatore Bonaccorso wrote: [...] > > Now whilst the affected code is back present in 1.2.0, I need some > help understanding the actual impact for us. According to the build > log this common code is as well compiled in into the mod_jk, The > upstream description though mention that the resulting security impact > is seems only relevant when run under IIS. > https://marc.info/?l=oss-security&m=147575324211141&w=2 as well states > that a mitigation would be to "Where available, use IIS configuration > to restrict the maximum URI length to 4095 - (the length of the > longest virtual host name)". > > Can you clarify if this is correct? If so we would mark the CVE as > (unimportant) and thus as well not release a DSA, and a 1:1.2.42 > upload to unstable can then mark the CVE as fixed. > > Please let me know if the above statement about the issue beeing > relevant only under IIS is correct this way.
Looking at native/common/jk_uri_worker_map.c it appears that the affected map_uri_to_worker_ext function is shared between the IIS, Apache 1.3 and Apache-2.0 modules and the latter is used by Debian. So for me it looks relevant to us. Regards, Markus
signature.asc
Description: OpenPGP digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.