Author: markt Date: Sun Jul 26 16:37:31 2015 New Revision: 1692731 URL: http://svn.apache.org/r1692731 Log: Add CVE-2014-8111
Modified: tomcat/site/trunk/docs/security-jk.html tomcat/site/trunk/xdocs/security-jk.xml Modified: tomcat/site/trunk/docs/security-jk.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-jk.html?rev=1692731&r1=1692730&r2=1692731&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-jk.html (original) +++ tomcat/site/trunk/docs/security-jk.html Sun Jul 26 16:37:31 2015 @@ -203,6 +203,9 @@ <a href="#Apache_Tomcat_JK_Connectors_vulnerabilities">Apache Tomcat JK Connectors vulnerabilities</a> </li> <li> +<a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.41_(not_yet_released)">Fixed in Apache Tomcat JK Connector 1.2.41 (not yet released)</a> +</li> +<li> <a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.27">Fixed in Apache Tomcat JK Connector 1.2.27</a> </li> <li> @@ -236,6 +239,40 @@ </div> +<h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.41_(not_yet_released)">Fixed in Apache Tomcat JK Connector 1.2.41 (not yet released)</h3> +<div class="text"> + + +<p> +<strong>Important: Information disclosure</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8111" rel="nofollow">CVE-2014-8111</a> +</p> + + +<p>Multiple adjacent slashes in a request URI were not collapsed to a single + slash before comparing the request URI to the configured mount and + unmount patterns. It is therefore possible for an attacker to use a + request URI containing multiple adjacent slashes to bypass the + restrictions of a <code>JkUnmount</code> directive. This may expose + application functionality through the reverse proxy that is not intended + for clients accessing the application via the reverse proxy.</p> + + +<p>As of mod_jk 1.2.41, slashes are collapsed by default. The behaviour is + now configurable via a new <code>JkOption</code> for httpd (values + <code>CollapseSlashesAll</code>, <code>CollapseSlashesNone</code> or + <code>CollapseSlashesUnmount</code>) and via a new property + <code>collapse_slashes</code> for IIS (values <code>all</code>, + <code>none</code>, <code>unmount</code>).</p> + + +<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1647017">revision 1647017</a>.</p> + + +<p>Affects: JK 1.2.0-1.2.40</p> + + +</div> <h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.27">Fixed in Apache Tomcat JK Connector 1.2.27</h3> <div class="text"> Modified: tomcat/site/trunk/xdocs/security-jk.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-jk.xml?rev=1692731&r1=1692730&r2=1692731&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-jk.xml (original) +++ tomcat/site/trunk/xdocs/security-jk.xml Sun Jul 26 16:37:31 2015 @@ -28,6 +28,32 @@ </section> + <section name="Fixed in Apache Tomcat JK Connector 1.2.41 (not yet released)"> + + <p><strong>Important: Information disclosure</strong> + <cve>CVE-2014-8111</cve></p> + + <p>Multiple adjacent slashes in a request URI were not collapsed to a single + slash before comparing the request URI to the configured mount and + unmount patterns. It is therefore possible for an attacker to use a + request URI containing multiple adjacent slashes to bypass the + restrictions of a <code>JkUnmount</code> directive. This may expose + application functionality through the reverse proxy that is not intended + for clients accessing the application via the reverse proxy.</p> + + <p>As of mod_jk 1.2.41, slashes are collapsed by default. The behaviour is + now configurable via a new <code>JkOption</code> for httpd (values + <code>CollapseSlashesAll</code>, <code>CollapseSlashesNone</code> or + <code>CollapseSlashesUnmount</code>) and via a new property + <code>collapse_slashes</code> for IIS (values <code>all</code>, + <code>none</code>, <code>unmount</code>).</p> + + <p>This was fixed in <revlink rev="1647017">revision 1647017</revlink>.</p> + + <p>Affects: JK 1.2.0-1.2.40</p> + + </section> + <section name="Fixed in Apache Tomcat JK Connector 1.2.27"> <p><strong>Important: Information disclosure</strong> <cve>CVE-2008-5519</cve></p> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org