Bug#783233: CVE-2014-8111: mod_jk ignores JkUnmount rules for subtrees of previous JkMount rules
Markus Koschany
apo at gambaru.de
Wed May 20 18:04:56 UTC 2015
On Fri, 24 Apr 2015 12:11:40 +0200 Raphael Hertzog <hertzog at debian.org>
wrote:
> Source: libapache-mod-jk
> Severity: serious
> Tags: security
>
> Hi,
>
> the following vulnerability was published for libapache-mod-jk.
>
> CVE-2014-8111[0]:
> | Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount
> | rules for subtrees of previous JkMount rules, which allows remote
> | attackers to access otherwise restricted artifacts via unspecified
> | vectors.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2014-8111
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8111
> Please adjust the affected versions in the BTS as needed.
>
> The upstream fix is here: http://svn.apache.org/r1647017
>
> Feel freet to lower the severiy if you believe the issue to be minor. I'm
> not familiar enough with the software to be able to judge.
This bug is only fixed in upstream's version control system. Version
1.2.41 hasn't been released yet.
If nobody has any objections, I'm going ahead and package a SVN snapshot
of libapache-mod-jk. I will also try to fix the version in wheezy and
possibly squeeze.
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20150520/2282fe9e/attachment.sig>
More information about the pkg-java-maintainers
mailing list