Markus Koschany pushed to branch stretch at Debian Java Maintainers / libapache-mod-jk
Commits: f3be6caf by Markus Koschany at 2023-09-24T21:00:31+02:00 Fix CVE-2023-41081 - - - - - f1a8368b by Markus Koschany at 2023-09-24T21:02:47+02:00 Update changelog - - - - - 7 changed files: - debian/changelog - debian/patches/0001-disable-logo.patch - debian/patches/0002-debianize-log-directory.patch - debian/patches/0003-upgrade-info-to-error-message.patch - + debian/patches/CVE-2023-41081.patch - debian/patches/fix-privacy-breach.patch - debian/patches/series Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,19 @@ +libapache-mod-jk (1:1.2.46-0+deb9u2) stretch-security; urgency=high + + * Fix CVE-2023-41081: + The mod_jk component of Apache Tomcat Connectors, an Apache 2 module to + forward requests from Apache to Tomcat, in some circumstances, such as when + a configuration included "JkOptions +ForwardDirectories" but the + configuration did not provide explicit mounts for all possible proxied + requests, mod_jk would use an implicit mapping and map the request to the + first defined worker. Such an implicit mapping could result in the + unintended exposure of the status worker and/or bypass security constraints + configured in httpd. As of this security update, the implicit mapping + functionality has been removed and all mappings must now be via explicit + configuration. This issue affects Apache Tomcat Connectors (mod_jk only). + + -- Markus Koschany <[email protected]> Sun, 24 Sep 2023 21:00:42 +0200 + libapache-mod-jk (1:1.2.46-0+deb9u1) stretch-security; urgency=high * Non-maintainer upload by the Security Team. ===================================== debian/patches/0001-disable-logo.patch ===================================== @@ -8,7 +8,7 @@ Subject: [PATCH] disable logo --- a/xdocs/style.xsl +++ b/xdocs/style.xsl -@@ -93,15 +93,15 @@ +@@ -91,15 +91,15 @@ <img src="{$src}" align="left" alt="{$alt}" border="0"/> </a> <xsl:if test="project/logo"> ===================================== debian/patches/0002-debianize-log-directory.patch ===================================== @@ -36,7 +36,7 @@ Description: Debianize log directory (in source code and default configuration) # to add mod_jk specific information to your access log. --- a/native/apache-2.0/mod_jk.c +++ b/native/apache-2.0/mod_jk.c -@@ -98,8 +98,8 @@ +@@ -89,8 +89,8 @@ #include "jk_shm.h" #include "jk_url.h" ===================================== debian/patches/0003-upgrade-info-to-error-message.patch ===================================== @@ -8,7 +8,7 @@ Subject: [PATCH] upgrade info to error message --- a/native/apache-2.0/mod_jk.c +++ b/native/apache-2.0/mod_jk.c -@@ -2793,7 +2793,7 @@ +@@ -2996,7 +2996,7 @@ static int jk_handler(request_rec * r) } } else { ===================================== debian/patches/CVE-2023-41081.patch ===================================== @@ -0,0 +1,45 @@ +From: Markus Koschany <[email protected]> +Date: Sun, 24 Sep 2023 16:39:43 +0200 +Subject: CVE-2023-41081 + +Bug-Debian: https://bugs.debian.org/1051956 +Origin: https://github.com/apache/tomcat-connectors/commit/0095b6cb84f41313ee4c0364b49c766168790792 +--- + native/apache-2.0/mod_jk.c | 19 ------------------- + 1 file changed, 19 deletions(-) + +--- a/native/apache-2.0/mod_jk.c ++++ b/native/apache-2.0/mod_jk.c +@@ -2768,17 +2768,6 @@ static int jk_handler(request_rec * r) + rconf->rule_extensions = e; + } + } +- else if (worker_env.num_of_workers == 1) { +- /** We have a single worker ( the common case ). +- ( lb is a bit special, it should count as a single worker but +- I'm not sure how ). We also have a manual config directive that +- explicitly give control to us. */ +- worker_name = worker_env.worker_list[0]; +- if (JK_IS_DEBUG_LEVEL(xconf->log)) +- jk_log(xconf->log, JK_LOG_DEBUG, +- "Single worker (%s) configuration for %s", +- worker_name, r->uri); +- } + else { + if (!xconf->uw_map) { + if (JK_IS_DEBUG_LEVEL(xconf->log)) +@@ -2804,14 +2793,6 @@ static int jk_handler(request_rec * r) + r->uri = clean_uri; + } + } +- +- if (worker_name == NULL && worker_env.num_of_workers) { +- worker_name = worker_env.worker_list[0]; +- if (JK_IS_DEBUG_LEVEL(xconf->log)) +- jk_log(xconf->log, JK_LOG_DEBUG, +- "Using first worker (%s) from %d workers for %s", +- worker_name, worker_env.num_of_workers, r->uri); +- } + } + if (worker_name) + apr_table_setn(r->notes, JK_NOTE_WORKER_NAME, worker_name); ===================================== debian/patches/fix-privacy-breach.patch ===================================== @@ -9,11 +9,9 @@ Forwarded: no xdocs/style.xsl | 4 ---- 1 file changed, 4 deletions(-) -diff --git a/xdocs/style.xsl b/xdocs/style.xsl -index fbfdfe5..afbf45d 100644 --- a/xdocs/style.xsl +++ b/xdocs/style.xsl -@@ -104,10 +104,6 @@ +@@ -102,10 +102,6 @@ </xsl:variable --> <xsl:comment>APACHE LOGO</xsl:comment> ===================================== debian/patches/series ===================================== @@ -2,3 +2,4 @@ 0002-debianize-log-directory.patch 0003-upgrade-info-to-error-message.patch fix-privacy-breach.patch +CVE-2023-41081.patch View it on GitLab: https://salsa.debian.org/java-team/libapache-mod-jk/-/compare/242efca0f1c79eb540dedac389fd1c794bcaa3df...f1a8368b8609ebdc9e93834d1d80aa3854ef7def -- View it on GitLab: https://salsa.debian.org/java-team/libapache-mod-jk/-/compare/242efca0f1c79eb540dedac389fd1c794bcaa3df...f1a8368b8609ebdc9e93834d1d80aa3854ef7def You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits
