Bug#783233: RFS: libapache-mod-jk 1:1.2.40+svn150520-1 [RC]

Markus Koschany apo at gambaru.de
Thu May 21 20:00:37 UTC 2015 

Control: tags -1 pending

Hi,

I have prepared a new upstream release of libapache-mod-jk which fixes
RC bug #783233, better known as CVE-2014-8111. I would be glad if
someone reviewed the package and uploaded it to unstable.

https://security-tracker.debian.org/tracker/source-package/libapache-mod-jk

https://anonscm.debian.org/viewvc/pkg-java/trunk/libapache-mod-jk/

Version 1.2.41 hasn't been released yet, so I prepared a SVN snapshot.

"It was discovered that a JkUnmount rule for a subtree of a previous
JkMount rule could be ignored. This could allow a remote attacker to
potentially access a private artifact in a tree that would otherwise not
be accessible to them."

The new version adds new JkOptions to the apache2 module mod_jk and
disables the unsafe handling of adjacent slashes by default now. The
changes can be adjusted in /etc/apache2/mods-available/jk.conf.

The patch for fixing this bug is available here:

https://svn.apache.org/viewvc?view=revision&revision=1647017

I intend to prepare further uploads for jessie, wheezy and squeeze, if
possible.

Changelog:

* Team upload.
  * Imported Upstream SVN snapshot version 1.2.40+svn150520.
    - Fix CVE-2014-8111: (Closes: #783233)
      Apache Tomcat Connectors (mod_jk) ignored JkUnmount rules for
      subtrees of previous JkMount rules, which allows remote attackers
      to access otherwise restricted artifacts via unspecified vectors.
  * debian/control: Build-Depend on debhelper >= 9.
  * Remove source.lintian-overrides since we now build-depend on
    debhelper >=9.
  * Drop 0004-corrupted-worker-activation-status.patch. Fixed upstream.
  * debian/rules:
    - Disable sed command in debian/rules. Apparently not necessary for
      this release.
    - Run buildconf.sh before dh_auto_configure step since this is a
      requirement for building SVN snapshots.
    - Update dh_auto_clean override. Ensure that the package can be
      built twice in a row.
  * debian/control:
    - Add autoconf to Build-Depends.
    - Add automake to Build-Depends.
    - Remove Conflicts and Replaces fields because they are obsolete.
  * Add disable-libtool-check.patch and fix a FTBFS. We already
    build-depend on libtool but the script is not smart enough.
  * Add fix-privacy-breach.patch and fix lintian errors about "privacy
    breach logo".
  * Update debian/copyright information. Add missing BSD-3-clause
    license.
  * Add README.source.

Regards,

Markus


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20150521/2f9ade61/attachment.sig>

More information about the pkg-java-maintainers mailing list