On 26.05.2015 19:21, Markus Koschany wrote:
On 26.05.2015 17:23, Raphael Hertzog wrote:
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of libapache-mod-jk:
https://security-tracker.debian.org/tracker/CVE-2014-8111
Would you like to take care of this yourself? We are still understaffed so
any help is always highly appreciated.
Yes, I will take care of that. Uploads for Wheezy and Jessie are still
pending. Help with testing is appreciated. For interested users of
libapache2-mod-jk, you can already find updated amd64 packages for
Wheezy and Jessie here:
wheezy: https://people.debian.org/~carnil/tmp/libapache-mod-jk/wheezy/
jessie: https://people.debian.org/~carnil/tmp/libapache-mod-jk/jessie/
Hi,
please find attached the debdiff and fix for libapache-mod-jk in
squeeze. Feedback and testing are appreciated.
Regards,
Markus
diff -Nru libapache-mod-jk-1.2.30/debian/changelog
libapache-mod-jk-1.2.30/debian/changelog
--- libapache-mod-jk-1.2.30/debian/changelog2011-02-15 06:17:24.0
+0100
+++ libapache-mod-jk-1.2.30/debian/changelog2015-05-30 14:54:26.0
+0200
@@ -1,3 +1,20 @@
+libapache-mod-jk (1:1.2.30-1squeeze2) squeeze-lts; urgency=high
+
+ * Team upload.
+ * Add CVE-2014-8111.patch. (Closes: #783233)
+It was discovered that a JkUnmount rule for a subtree of a previous JkMount
+rule could be ignored. This could allow a remote attacker to potentially
+access a private artifact in a tree that would otherwise not be accessible
+to them.
+- Add option to control handling of multiple adjacent slashes in mount and
+ unmount. New default is collapsing the slashes only in unmount. Before
+ this change, adjacent slashes were never collapsed, so most mounts and
+ unmounts didn't match for URLs with multiple adjacent slashes.
+- Configuration is done via new JkOption for Apache (values
+ CollapseSlashesAll, CollapseSlashesNone or CollapseSlashesUnmount).
+
+ -- Markus Koschany a...@gambaru.de Sat, 30 May 2015 14:54:17 +0200
+
libapache-mod-jk (1:1.2.30-1squeeze1) stable; urgency=medium
* Team upload.
diff -Nru libapache-mod-jk-1.2.30/debian/patches/CVE-2014-8111.patch
libapache-mod-jk-1.2.30/debian/patches/CVE-2014-8111.patch
--- libapache-mod-jk-1.2.30/debian/patches/CVE-2014-8111.patch 1970-01-01
01:00:00.0 +0100
+++ libapache-mod-jk-1.2.30/debian/patches/CVE-2014-8111.patch 2015-05-30
14:53:23.0 +0200
@@ -0,0 +1,418 @@
+From: Markus Koschany a...@gambaru.de
+Date: Sat, 30 May 2015 00:41:23 +0200
+Subject: CVE-2014-8111
+
+It was discovered that a JkUnmount rule for a subtree of a previous JkMount
+rule could be ignored. This could allow a remote attacker to potentially access
+a private artifact in a tree that would otherwise not be accessible to them.
+
+Forwarded: https://svn.apache.org/viewvc?view=revisionrevision=r1647017
+---
+ native/apache-1.3/mod_jk.c| 24 +--
+ native/apache-2.0/mod_jk.c| 24 +--
+ native/common/jk_global.h | 7 ++-
+ native/common/jk_uri_worker_map.c | 41 +--
+ native/common/jk_uri_worker_map.h | 7 +++
+ native/common/jk_util.c | 19 ++
+ native/common/jk_util.h | 2 ++
+ native/iis/jk_isapi_plugin.c | 27 ++
+ 8 files changed, 131 insertions(+), 20 deletions(-)
+
+diff --git a/native/apache-1.3/mod_jk.c b/native/apache-1.3/mod_jk.c
+index 228161e..698d248 100644
+--- a/native/apache-1.3/mod_jk.c
b/native/apache-1.3/mod_jk.c
+@@ -1930,9 +1930,11 @@ const char *jk_set_options(cmd_parms * cmd, void
*dummy, const char *line)
+
+ mask = 0;
+
+-if (action == '-' !strncasecmp(w, ForwardURI,
strlen(ForwardURI)))
++if (action == '-'
++(!strncasecmp(w, ForwardURI, strlen(ForwardURI)) ||
++ !strncasecmp(w, CollapseSlashes, strlen(CollapseSlashes
+ return ap_pstrcat(cmd-pool, JkOptions: Illegal option '-, w,
+- ': ForwardURI* options can not be disabled,
NULL);
++ ': option can not be disabled, NULL);
+
+ if (!strcasecmp(w, ForwardURICompat)) {
+ opt = JK_OPT_FWDURICOMPAT;
+@@ -1950,6 +1952,18 @@ const char *jk_set_options(cmd_parms * cmd, void
*dummy, const char *line)
+ opt = JK_OPT_FWDURIPROXY;
+ mask = JK_OPT_FWDURIMASK;
+ }
++else if (!strcasecmp(w, CollapseSlashesAll)) {
++opt = JK_OPT_COLLAPSEALL;
++mask = JK_OPT_COLLAPSEMASK;
++}
++else if (!strcasecmp(w, CollapseSlashesNone)) {
++opt = JK_OPT_COLLAPSENONE;
++mask = JK_OPT_COLLAPSEMASK;
++}
++else if (!strcasecmp(w, CollapseSlashesUnmount)) {
++opt = JK_OPT_COLLAPSEUNMOUNT;
++