Bug#783233: CVE-2014-8111: mod_jk ignores JkUnmount rules for subtrees of previous JkMount rules

Raphael Hertzog hertzog at debian.org
Fri Apr 24 10:11:40 UTC 2015


Source: libapache-mod-jk
Severity: serious 
Tags: security

Hi,

the following vulnerability was published for libapache-mod-jk.

CVE-2014-8111[0]:
| Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount
| rules for subtrees of previous JkMount rules, which allows remote
| attackers to access otherwise restricted artifacts via unspecified
| vectors.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-8111
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8111
    Please adjust the affected versions in the BTS as needed.

The upstream fix is here: http://svn.apache.org/r1647017

Feel freet to lower the severiy if you believe the issue to be minor. I'm
not familiar enough with the software to be able to judge.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/



More information about the pkg-java-maintainers mailing list