Bug#840000: libapache-mod-jk: CVE-2016-6808

Salvatore Bonaccorso carnil at debian.org
Fri Oct 7 14:20:05 UTC 2016

Hi Markus,

On Fri, Oct 07, 2016 at 03:21:54PM +0200, Markus Koschany wrote:
> On 07.10.2016 14:15, Salvatore Bonaccorso wrote:
> [...]
> > 
> > Now whilst the affected code is back present in 1.2.0, I need some
> > help understanding the actual impact for us. According to the build
> > log this common code is as well compiled in into the mod_jk, The
> > upstream description though mention that the resulting security impact
> > is seems only relevant when run under IIS.
> > https://marc.info/?l=oss-security&m=147575324211141&w=2 as well states
> > that a mitigation would be to "Where available, use IIS configuration
> > to restrict the maximum URI length to 4095 - (the length of the
> > longest virtual host name)".
> > 
> > Can you clarify if this is correct? If so we would mark the CVE as
> > (unimportant) and thus as well not release a DSA, and a 1:1.2.42
> > upload to unstable can then mark the CVE as fixed.
> > 
> > Please let me know if the above statement about the issue beeing
> > relevant only under IIS is correct this way.
> Looking at native/common/jk_uri_worker_map.c it appears that the
> affected map_uri_to_worker_ext function is shared between the IIS,
> Apache 1.3 and Apache-2.0 modules and the latter is used by Debian. So
> for me it looks relevant to us.

Thanks for your investigation! Have you good upstream contact to try
to clarify why the above statement was made?


More information about the pkg-java-maintainers mailing list