Re: squeeze update of libapache-mod-jk?

2015-06-10 Thread Raphael Hertzog 
On Tue, 09 Jun 2015, Markus Koschany wrote:
  I see that you requested sponsorship. Shall I go ahead and upload it and
  send the DLA? Or do you prefer to handle the DLA yourself?
 
 please go ahead. Thank you.

Uploaded and DLA sent.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/


-- 
To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150610085730.gb2...@home.ouaza.com

Re: squeeze update of libapache-mod-jk?

2015-06-09 Thread Markus Koschany 
On 09.06.2015 18:22, Raphael Hertzog wrote:
 Hi,
 
 On Sat, 30 May 2015, Markus Koschany wrote:
 please find attached the debdiff and fix for libapache-mod-jk in
 squeeze. Feedback and testing are appreciated.
 
 I did a quick review and it looks good. It builds fine in my chroot.
 But I don't know how to test this package.
 
 I see that you requested sponsorship. Shall I go ahead and upload it and
 send the DLA? Or do you prefer to handle the DLA yourself?

Hi Raphael,

please go ahead. Thank you.

Markus




signature.asc
Description: OpenPGP digital signature

Re: squeeze update of libapache-mod-jk?

2015-05-30 Thread Markus Koschany 
On 26.05.2015 19:21, Markus Koschany wrote:
 On 26.05.2015 17:23, Raphael Hertzog wrote:
 Hello dear maintainer(s),

 the Debian LTS team would like to fix the security issues which are
 currently open in the Squeeze version of libapache-mod-jk:
 https://security-tracker.debian.org/tracker/CVE-2014-8111

 Would you like to take care of this yourself? We are still understaffed so
 any help is always highly appreciated.
 
 Yes, I will take care of that. Uploads for Wheezy and Jessie are still
 pending. Help with testing is appreciated. For interested users of
 libapache2-mod-jk, you can already find updated amd64 packages for
 Wheezy and Jessie here:
 
 wheezy: https://people.debian.org/~carnil/tmp/libapache-mod-jk/wheezy/
 jessie: https://people.debian.org/~carnil/tmp/libapache-mod-jk/jessie/
 

Hi,

please find attached the debdiff and fix for libapache-mod-jk in
squeeze. Feedback and testing are appreciated.

Regards,

Markus

diff -Nru libapache-mod-jk-1.2.30/debian/changelog 
libapache-mod-jk-1.2.30/debian/changelog
--- libapache-mod-jk-1.2.30/debian/changelog2011-02-15 06:17:24.0 
+0100
+++ libapache-mod-jk-1.2.30/debian/changelog2015-05-30 14:54:26.0 
+0200
@@ -1,3 +1,20 @@
+libapache-mod-jk (1:1.2.30-1squeeze2) squeeze-lts; urgency=high
+
+  * Team upload.
+  * Add CVE-2014-8111.patch. (Closes: #783233)
+It was discovered that a JkUnmount rule for a subtree of a previous JkMount
+rule could be ignored. This could allow a remote attacker to potentially
+access a private artifact in a tree that would otherwise not be accessible
+to them.
+- Add option to control handling of multiple adjacent slashes in mount and
+  unmount. New default is collapsing the slashes only in unmount. Before
+  this change, adjacent slashes were never collapsed, so most mounts and
+  unmounts didn't match for URLs with multiple adjacent slashes.
+- Configuration is done via new JkOption for Apache (values
+  CollapseSlashesAll, CollapseSlashesNone or CollapseSlashesUnmount).
+
+ -- Markus Koschany a...@gambaru.de  Sat, 30 May 2015 14:54:17 +0200
+
 libapache-mod-jk (1:1.2.30-1squeeze1) stable; urgency=medium
 
   * Team upload.
diff -Nru libapache-mod-jk-1.2.30/debian/patches/CVE-2014-8111.patch 
libapache-mod-jk-1.2.30/debian/patches/CVE-2014-8111.patch
--- libapache-mod-jk-1.2.30/debian/patches/CVE-2014-8111.patch  1970-01-01 
01:00:00.0 +0100
+++ libapache-mod-jk-1.2.30/debian/patches/CVE-2014-8111.patch  2015-05-30 
14:53:23.0 +0200
@@ -0,0 +1,418 @@
+From: Markus Koschany a...@gambaru.de
+Date: Sat, 30 May 2015 00:41:23 +0200
+Subject: CVE-2014-8111
+
+It was discovered that a JkUnmount rule for a subtree of a previous JkMount
+rule could be ignored. This could allow a remote attacker to potentially access
+a private artifact in a tree that would otherwise not be accessible to them.
+
+Forwarded: https://svn.apache.org/viewvc?view=revisionrevision=r1647017
+---
+ native/apache-1.3/mod_jk.c| 24 +--
+ native/apache-2.0/mod_jk.c| 24 +--
+ native/common/jk_global.h |  7 ++-
+ native/common/jk_uri_worker_map.c | 41 +--
+ native/common/jk_uri_worker_map.h |  7 +++
+ native/common/jk_util.c   | 19 ++
+ native/common/jk_util.h   |  2 ++
+ native/iis/jk_isapi_plugin.c  | 27 ++
+ 8 files changed, 131 insertions(+), 20 deletions(-)
+
+diff --git a/native/apache-1.3/mod_jk.c b/native/apache-1.3/mod_jk.c
+index 228161e..698d248 100644
+--- a/native/apache-1.3/mod_jk.c
 b/native/apache-1.3/mod_jk.c
+@@ -1930,9 +1930,11 @@ const char *jk_set_options(cmd_parms * cmd, void 
*dummy, const char *line)
+ 
+ mask = 0;
+ 
+-if (action == '-'  !strncasecmp(w, ForwardURI, 
strlen(ForwardURI)))
++if (action == '-' 
++(!strncasecmp(w, ForwardURI, strlen(ForwardURI)) ||
++ !strncasecmp(w, CollapseSlashes, strlen(CollapseSlashes
+ return ap_pstrcat(cmd-pool, JkOptions: Illegal option '-, w,
+-   ': ForwardURI* options can not be disabled, 
NULL);
++  ': option can not be disabled, NULL);
+ 
+ if (!strcasecmp(w, ForwardURICompat)) {
+ opt = JK_OPT_FWDURICOMPAT;
+@@ -1950,6 +1952,18 @@ const char *jk_set_options(cmd_parms * cmd, void 
*dummy, const char *line)
+ opt = JK_OPT_FWDURIPROXY;
+ mask = JK_OPT_FWDURIMASK;
+ }
++else if (!strcasecmp(w, CollapseSlashesAll)) {
++opt = JK_OPT_COLLAPSEALL;
++mask = JK_OPT_COLLAPSEMASK;
++}
++else if (!strcasecmp(w, CollapseSlashesNone)) {
++opt = JK_OPT_COLLAPSENONE;
++mask = JK_OPT_COLLAPSEMASK;
++}
++else if (!strcasecmp(w, CollapseSlashesUnmount)) {
++opt = JK_OPT_COLLAPSEUNMOUNT;
++

squeeze update of libapache-mod-jk?

2015-05-26 Thread Raphael Hertzog 
Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of libapache-mod-jk:
https://security-tracker.debian.org/tracker/CVE-2014-8111

Would you like to take care of this yourself? We are still understaffed so
any help is always highly appreciated.

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/


-- 
To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150526152356.ga6...@home.ouaza.com

Re: squeeze update of libapache-mod-jk?

2015-05-26 Thread Markus Koschany 
On 26.05.2015 17:23, Raphael Hertzog wrote:
 Hello dear maintainer(s),
 
 the Debian LTS team would like to fix the security issues which are
 currently open in the Squeeze version of libapache-mod-jk:
 https://security-tracker.debian.org/tracker/CVE-2014-8111
 
 Would you like to take care of this yourself? We are still understaffed so
 any help is always highly appreciated.

Yes, I will take care of that. Uploads for Wheezy and Jessie are still
pending. Help with testing is appreciated. For interested users of
libapache2-mod-jk, you can already find updated amd64 packages for
Wheezy and Jessie here:

wheezy: https://people.debian.org/~carnil/tmp/libapache-mod-jk/wheezy/
jessie: https://people.debian.org/~carnil/tmp/libapache-mod-jk/jessie/

Regards,

Markus



signature.asc
Description: OpenPGP digital signature