Hi Markus,

On Fri, Oct 07, 2016 at 03:21:54PM +0200, Markus Koschany wrote:
> On 07.10.2016 14:15, Salvatore Bonaccorso wrote:
> [...]
> > 
> > Now whilst the affected code is back present in 1.2.0, I need some
> > help understanding the actual impact for us. According to the build
> > log this common code is as well compiled in into the mod_jk, The
> > upstream description though mention that the resulting security impact
> > is seems only relevant when run under IIS.
> > https://marc.info/?l=oss-security&m=147575324211141&w=2 as well states
> > that a mitigation would be to "Where available, use IIS configuration
> > to restrict the maximum URI length to 4095 - (the length of the
> > longest virtual host name)".
> > 
> > Can you clarify if this is correct? If so we would mark the CVE as
> > (unimportant) and thus as well not release a DSA, and a 1:1.2.42
> > upload to unstable can then mark the CVE as fixed.
> > 
> > Please let me know if the above statement about the issue beeing
> > relevant only under IIS is correct this way.
> 
> Looking at native/common/jk_uri_worker_map.c it appears that the
> affected map_uri_to_worker_ext function is shared between the IIS,
> Apache 1.3 and Apache-2.0 modules and the latter is used by Debian. So
> for me it looks relevant to us.

Thanks for your investigation! Have you good upstream contact to try
to clarify why the above statement was made?

Regards,
Salvatore

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to