Your message dated Fri, 22 May 2015 05:18:52 +0000 with message-id <e1yvfmc-0006kr...@franck.debian.org> and subject line Bug#783233: fixed in libapache-mod-jk 1:1.2.40+svn150520-1 has caused the Debian Bug report #783233, regarding CVE-2014-8111: mod_jk ignores JkUnmount rules for subtrees of previous JkMount rules to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 783233: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783233 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libapache-mod-jk Severity: serious Tags: security Hi, the following vulnerability was published for libapache-mod-jk. CVE-2014-8111[0]: | Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount | rules for subtrees of previous JkMount rules, which allows remote | attackers to access otherwise restricted artifacts via unspecified | vectors. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2014-8111 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8111 Please adjust the affected versions in the BTS as needed. The upstream fix is here: http://svn.apache.org/r1647017 Feel freet to lower the severiy if you believe the issue to be minor. I'm not familiar enough with the software to be able to judge. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
--- End Message ---
--- Begin Message ---Source: libapache-mod-jk Source-Version: 1:1.2.40+svn150520-1 We believe that the bug you reported is fixed in the latest version of libapache-mod-jk, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 783...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@gambaru.de> (supplier of updated libapache-mod-jk package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 21 May 2015 17:53:24 +0200 Source: libapache-mod-jk Binary: libapache2-mod-jk libapache-mod-jk-doc Architecture: source all amd64 Version: 1:1.2.40+svn150520-1 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@gambaru.de> Description: libapache-mod-jk-doc - Documentation of libapache2-mod-jk package libapache2-mod-jk - Apache 2 connector for the Tomcat Java servlet engine Closes: 783233 Changes: libapache-mod-jk (1:1.2.40+svn150520-1) unstable; urgency=high . * Team upload. * Imported Upstream SVN snapshot version 1.2.40+svn150520. - Fix CVE-2014-8111: (Closes: #783233) Apache Tomcat Connectors (mod_jk) ignored JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified vectors. * debian/control: Build-Depend on debhelper >= 9. * Remove source.lintian-overrides since we now build-depend on debhelper >=9. * Drop 0004-corrupted-worker-activation-status.patch. Fixed upstream. * debian/rules: - Disable sed command in debian/rules. Apparently not necessary for this release. - Run buildconf.sh before dh_auto_configure step since this is a requirement for building SVN snapshots. - Update dh_auto_clean override. Ensure that the package can be built twice in a row. * debian/control: - Add autoconf to Build-Depends. - Add automake to Build-Depends. - Remove Conflicts and Replaces fields because they are obsolete. * Add disable-libtool-check.patch and fix a FTBFS. We already build-depend on libtool but the script is not smart enough. * Add fix-privacy-breach.patch and fix lintian errors about "privacy breach logo". * Update debian/copyright information. Add missing BSD-3-clause license. * Add README.source. Checksums-Sha1: 02223ab09d0ac9f826d6a7db1e04058a951b69e7 2254 libapache-mod-jk_1.2.40+svn150520-1.dsc e6b595d75a3767d2ec228506b801ec6c1f90b7b8 1045078 libapache-mod-jk_1.2.40+svn150520.orig.tar.gz 479ad05498daad7438b9f15e6041141f83f33bbc 10872 libapache-mod-jk_1.2.40+svn150520-1.debian.tar.xz 0ce1145629a7a99b2823a7c02197b045ccf4dd59 175898 libapache-mod-jk-doc_1.2.40+svn150520-1_all.deb 7d93a052f5a9eb2132a835cb7eff8abcd9541362 163466 libapache2-mod-jk_1.2.40+svn150520-1_amd64.deb Checksums-Sha256: e8b76f655b5c30ef8693711c39888f2917b6a400360c68db3ccdcbb2e11fab83 2254 libapache-mod-jk_1.2.40+svn150520-1.dsc 883967f985505a77c9dc0802e733785a92a12e8cab1f04bab959d1b1b7d1dc73 1045078 libapache-mod-jk_1.2.40+svn150520.orig.tar.gz 59545ce6e726ac8acd461510796c6ed547090632066a566fd46bef231ccd9325 10872 libapache-mod-jk_1.2.40+svn150520-1.debian.tar.xz ca6d67e437bcf8ff67894123b6826a8994132dba4efeb33d9a8b383d2d0ac75c 175898 libapache-mod-jk-doc_1.2.40+svn150520-1_all.deb 8a1d960fa25006c1c91b69fd4a240143ccdd758fbcb3851cb7f361c1600d50ae 163466 libapache2-mod-jk_1.2.40+svn150520-1_amd64.deb Files: 25762e31365b75121063590c0322bffc 2254 httpd optional libapache-mod-jk_1.2.40+svn150520-1.dsc 73e6d5ae79169578b053f190d7913604 1045078 httpd optional libapache-mod-jk_1.2.40+svn150520.orig.tar.gz 409e1f2cb6a2933e72be26d92d311f4c 10872 httpd optional libapache-mod-jk_1.2.40+svn150520-1.debian.tar.xz fb1e64506b82a90b7f031b4233eaa38c 175898 doc optional libapache-mod-jk-doc_1.2.40+svn150520-1_all.deb 486138d37185cbc4951384723eba3f95 163466 httpd optional libapache2-mod-jk_1.2.40+svn150520-1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVXrhrAAoJECHSBYmXSz6WilMP/3R+30lZOUhvG6aDQemfCSNl RzWUxMK8EuujDGPVY58Zra/4MpAJ1oGXHvwSTtsiE6snXhW/f35MmvNyUVVohnFQ 2nNLm/kaKsRxsRrdT7XrYApAlWbliJZy3uAiTWW48ObPQYmzePQWfFheVt0dXDrQ 2EdiCMeSQQ14+G5iu3u70b89Hqu/JVVhI5JGOePsYP6ZHycJSMdjHkvqTBg6p7YM O77cef6EDFGsOMBhMD9EtXTVUejv8ZIZvE862itiKCWOpgtkAOHZ4Xc8XJyxrrIJ xYwTYdwaqHSFgnpxgDl75PY0x4VMIsi/wL68l/aFvQ0jNkP6IRYqXSzOSKZSJFN/ NI57hHg3WtTwIPqg71Tcql9o4mPBga41tww940IHfr1gD1KfOnGqLCHNvXudym0z wpQEWe+8j24q2MneANMXGJKgTgtWz4Z+9KgkGCdn9qBZDbZxeUcswrw4XVABrfqg 5Vli509X4p80EpOLFqPgcAlbfDo3JSyvl06aBMbQtus5JRhbPXMoZluC49tAOsU2 GmiajyuYKguLgVeqVOYiS2U3QrzC2nOHIt/02q8SpBGpIza8MHj0zuKCqAHnVxWS QeiZ4D66LFaZeg7ctSMOZwCXANXZNSJDbfNLBYAJpzKJUyO8LiEyG8DgDegmoXw7 z9y23yhKBgQhE3HlnUZM =tHFm -----END PGP SIGNATURE-----
--- End Message ---
