Bug#840000: libapache-mod-jk: CVE-2016-6808

Markus Koschany apo at debian.org
Fri Oct 7 13:21:54 UTC 2016

On 07.10.2016 14:15, Salvatore Bonaccorso wrote:
> Now whilst the affected code is back present in 1.2.0, I need some
> help understanding the actual impact for us. According to the build
> log this common code is as well compiled in into the mod_jk, The
> upstream description though mention that the resulting security impact
> is seems only relevant when run under IIS.
> https://marc.info/?l=oss-security&m=147575324211141&w=2 as well states
> that a mitigation would be to "Where available, use IIS configuration
> to restrict the maximum URI length to 4095 - (the length of the
> longest virtual host name)".
> Can you clarify if this is correct? If so we would mark the CVE as
> (unimportant) and thus as well not release a DSA, and a 1:1.2.42
> upload to unstable can then mark the CVE as fixed.
> Please let me know if the above statement about the issue beeing
> relevant only under IIS is correct this way.

Looking at native/common/jk_uri_worker_map.c it appears that the
affected map_uri_to_worker_ext function is shared between the IIS,
Apache 1.3 and Apache-2.0 modules and the latter is used by Debian. So
for me it looks relevant to us.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20161007/1b715c7a/attachment.sig>

More information about the pkg-java-maintainers mailing list