[Git][java-team/libapache-mod-jk][buster] 2 commits: Fix CVE-2023-41081 and refresh the patches.
Markus Koschany (@apo)
gitlab at salsa.debian.org
Sun Sep 24 18:28:09 BST 2023
Markus Koschany pushed to branch buster at Debian Java Maintainers / libapache-mod-jk
Commits:
57be6f29 by Markus Koschany at 2023-09-24T18:30:01+02:00
Fix CVE-2023-41081 and refresh the patches.
- - - - -
bd976de4 by Markus Koschany at 2023-09-24T18:31:30+02:00
Update changelog
- - - - -
7 changed files:
- debian/changelog
- debian/patches/0001-disable-logo.patch
- debian/patches/0002-debianize-log-directory.patch
- debian/patches/0003-upgrade-info-to-error-message.patch
- + debian/patches/CVE-2023-41081.patch
- debian/patches/fix-privacy-breach.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,19 @@
+libapache-mod-jk (1:1.2.46-1+deb10u2) buster-security; urgency=high
+
+ * Fix CVE-2023-41081:
+ The mod_jk component of Apache Tomcat Connectors, an Apache 2 module to
+ forward requests from Apache to Tomcat, in some circumstances, such as when
+ a configuration included "JkOptions +ForwardDirectories" but the
+ configuration did not provide explicit mounts for all possible proxied
+ requests, mod_jk would use an implicit mapping and map the request to the
+ first defined worker. Such an implicit mapping could result in the
+ unintended exposure of the status worker and/or bypass security constraints
+ configured in httpd. As of this security update, the implicit mapping
+ functionality has been removed and all mappings must now be via explicit
+ configuration. This issue affects Apache Tomcat Connectors (mod_jk only).
+
+ -- Markus Koschany <apo at debian.org> Sun, 24 Sep 2023 18:30:23 +0200
+
libapache-mod-jk (1:1.2.46-1+deb10u1) buster; urgency=medium
* Rename httpd-jk.conf to jk.conf to restore compatibility with Debian's Apache
=====================================
debian/patches/0001-disable-logo.patch
=====================================
@@ -8,7 +8,7 @@ Subject: [PATCH] disable logo
--- a/xdocs/style.xsl
+++ b/xdocs/style.xsl
-@@ -93,15 +93,15 @@
+@@ -91,15 +91,15 @@
<img src="{$src}" align="left" alt="{$alt}" border="0"/>
</a>
<xsl:if test="project/logo">
=====================================
debian/patches/0002-debianize-log-directory.patch
=====================================
@@ -36,7 +36,7 @@ Description: Debianize log directory (in source code and default configuration)
# to add mod_jk specific information to your access log.
--- a/native/apache-2.0/mod_jk.c
+++ b/native/apache-2.0/mod_jk.c
-@@ -98,8 +98,8 @@
+@@ -89,8 +89,8 @@
#include "jk_shm.h"
#include "jk_url.h"
=====================================
debian/patches/0003-upgrade-info-to-error-message.patch
=====================================
@@ -8,7 +8,7 @@ Subject: [PATCH] upgrade info to error message
--- a/native/apache-2.0/mod_jk.c
+++ b/native/apache-2.0/mod_jk.c
-@@ -3000,7 +3000,7 @@
+@@ -2996,7 +2996,7 @@ static int jk_handler(request_rec * r)
}
}
else {
=====================================
debian/patches/CVE-2023-41081.patch
=====================================
@@ -0,0 +1,45 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 24 Sep 2023 16:39:43 +0200
+Subject: CVE-2023-41081
+
+Bug-Debian: https://bugs.debian.org/1051956
+Origin: https://github.com/apache/tomcat-connectors/commit/0095b6cb84f41313ee4c0364b49c766168790792
+---
+ native/apache-2.0/mod_jk.c | 19 -------------------
+ 1 file changed, 19 deletions(-)
+
+--- a/native/apache-2.0/mod_jk.c
++++ b/native/apache-2.0/mod_jk.c
+@@ -2768,17 +2768,6 @@ static int jk_handler(request_rec * r)
+ rconf->rule_extensions = e;
+ }
+ }
+- else if (worker_env.num_of_workers == 1) {
+- /** We have a single worker ( the common case ).
+- ( lb is a bit special, it should count as a single worker but
+- I'm not sure how ). We also have a manual config directive that
+- explicitly give control to us. */
+- worker_name = worker_env.worker_list[0];
+- if (JK_IS_DEBUG_LEVEL(xconf->log))
+- jk_log(xconf->log, JK_LOG_DEBUG,
+- "Single worker (%s) configuration for %s",
+- worker_name, r->uri);
+- }
+ else {
+ if (!xconf->uw_map) {
+ if (JK_IS_DEBUG_LEVEL(xconf->log))
+@@ -2804,14 +2793,6 @@ static int jk_handler(request_rec * r)
+ r->uri = clean_uri;
+ }
+ }
+-
+- if (worker_name == NULL && worker_env.num_of_workers) {
+- worker_name = worker_env.worker_list[0];
+- if (JK_IS_DEBUG_LEVEL(xconf->log))
+- jk_log(xconf->log, JK_LOG_DEBUG,
+- "Using first worker (%s) from %d workers for %s",
+- worker_name, worker_env.num_of_workers, r->uri);
+- }
+ }
+ if (worker_name)
+ apr_table_setn(r->notes, JK_NOTE_WORKER_NAME, worker_name);
=====================================
debian/patches/fix-privacy-breach.patch
=====================================
@@ -9,11 +9,9 @@ Forwarded: no
xdocs/style.xsl | 4 ----
1 file changed, 4 deletions(-)
-diff --git a/xdocs/style.xsl b/xdocs/style.xsl
-index fbfdfe5..afbf45d 100644
--- a/xdocs/style.xsl
+++ b/xdocs/style.xsl
-@@ -104,10 +104,6 @@
+@@ -102,10 +102,6 @@
</xsl:variable -->
<xsl:comment>APACHE LOGO</xsl:comment>
=====================================
debian/patches/series
=====================================
@@ -2,3 +2,4 @@
0002-debianize-log-directory.patch
0003-upgrade-info-to-error-message.patch
fix-privacy-breach.patch
+CVE-2023-41081.patch
View it on GitLab: https://salsa.debian.org/java-team/libapache-mod-jk/-/compare/f4f42ba56b8465b9659ea264a0b5e1c1be120b0b...bd976de47c11f9c87258a89beb0f0b7095b37605
--
View it on GitLab: https://salsa.debian.org/java-team/libapache-mod-jk/-/compare/f4f42ba56b8465b9659ea264a0b5e1c1be120b0b...bd976de47c11f9c87258a89beb0f0b7095b37605
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20230924/47c40130/attachment.htm>
More information about the pkg-java-commits
mailing list