Bug#840000: libapache-mod-jk: CVE-2016-6808

Salvatore Bonaccorso carnil at debian.org
Fri Oct 7 12:15:32 UTC 2016

Control: found -1 1:1.2.37-4


On Fri, Oct 07, 2016 at 01:26:00PM +0200, Salvatore Bonaccorso wrote:
> Source: libapache-mod-jk
> Version: 1:1.2.41-1
> Severity: important
> Tags: security upstream patch
> Hi,
> the following vulnerability was published for libapache-mod-jk.
> CVE-2016-6808[0]:
> buffer overflow
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> For further information see:
> [0] https://security-tracker.debian.org/tracker/CVE-2016-6808

Now whilst the affected code is back present in 1.2.0, I need some
help understanding the actual impact for us. According to the build
log this common code is as well compiled in into the mod_jk, The
upstream description though mention that the resulting security impact
is seems only relevant when run under IIS.
https://marc.info/?l=oss-security&m=147575324211141&w=2 as well states
that a mitigation would be to "Where available, use IIS configuration
to restrict the maximum URI length to 4095 - (the length of the
longest virtual host name)".

Can you clarify if this is correct? If so we would mark the CVE as
(unimportant) and thus as well not release a DSA, and a 1:1.2.42
upload to unstable can then mark the CVE as fixed.

Please let me know if the above statement about the issue beeing
relevant only under IIS is correct this way.


More information about the pkg-java-maintainers mailing list