Hi Markus, On Fri, Oct 07, 2016 at 03:21:54PM +0200, Markus Koschany wrote: > On 07.10.2016 14:15, Salvatore Bonaccorso wrote: > [...] > > > > Now whilst the affected code is back present in 1.2.0, I need some > > help understanding the actual impact for us. According to the build > > log this common code is as well compiled in into the mod_jk, The > > upstream description though mention that the resulting security impact > > is seems only relevant when run under IIS. > > https://marc.info/?l=oss-security&m=147575324211141&w=2 as well states > > that a mitigation would be to "Where available, use IIS configuration > > to restrict the maximum URI length to 4095 - (the length of the > > longest virtual host name)". > > > > Can you clarify if this is correct? If so we would mark the CVE as > > (unimportant) and thus as well not release a DSA, and a 1:1.2.42 > > upload to unstable can then mark the CVE as fixed. > > > > Please let me know if the above statement about the issue beeing > > relevant only under IIS is correct this way. > > Looking at native/common/jk_uri_worker_map.c it appears that the > affected map_uri_to_worker_ext function is shared between the IIS, > Apache 1.3 and Apache-2.0 modules and the latter is used by Debian. So > for me it looks relevant to us.
Thanks for your investigation! Have you good upstream contact to try to clarify why the above statement was made? Regards, Salvatore __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
