Your message dated Sun, 07 Jun 2015 19:02:05 +0000 with message-id <e1z1fpd-0007tv...@franck.debian.org> and subject line Bug#783233: fixed in libapache-mod-jk 1:1.2.37-4+deb8u1 has caused the Debian Bug report #783233, regarding CVE-2014-8111: mod_jk ignores JkUnmount rules for subtrees of previous JkMount rules to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 783233: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783233 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libapache-mod-jk Severity: serious Tags: security Hi, the following vulnerability was published for libapache-mod-jk. CVE-2014-8111[0]: | Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount | rules for subtrees of previous JkMount rules, which allows remote | attackers to access otherwise restricted artifacts via unspecified | vectors. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2014-8111 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8111 Please adjust the affected versions in the BTS as needed. The upstream fix is here: http://svn.apache.org/r1647017 Feel freet to lower the severiy if you believe the issue to be minor. I'm not familiar enough with the software to be able to judge. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
--- End Message ---
--- Begin Message ---Source: libapache-mod-jk Source-Version: 1:1.2.37-4+deb8u1 We believe that the bug you reported is fixed in the latest version of libapache-mod-jk, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 783...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@gambaru.de> (supplier of updated libapache-mod-jk package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 23 May 2015 01:16:37 +0200 Source: libapache-mod-jk Binary: libapache2-mod-jk libapache-mod-jk-doc Architecture: source amd64 all Version: 1:1.2.37-4+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@gambaru.de> Description: libapache-mod-jk-doc - Documentation of libapache2-mod-jk package libapache2-mod-jk - Apache 2 connector for the Tomcat Java servlet engine Closes: 783233 Changes: libapache-mod-jk (1:1.2.37-4+deb8u1) jessie-security; urgency=high . * Team upload. * Add CVE-2014-8111.patch. (Closes: #783233) It was discovered that a JkUnmount rule for a subtree of a previous JkMount rule could be ignored. This could allow a remote attacker to potentially access a private artifact in a tree that would otherwise not be accessible to them. - Add option to control handling of multiple adjacent slashes in mount and unmount. New default is collapsing the slashes only in unmount. Before this change, adjacent slashes were never collapsed, so most mounts and unmounts didn't match for URLs with multiple adjacent slashes. - Configuration is done via new JkOption for Apache (values "CollapseSlashesAll", "CollapseSlashesNone" or "CollapseSlashesUnmount"). Checksums-Sha1: e73308fe64a73c73feb836c3702cab372ef9c8ba 2197 libapache-mod-jk_1.2.37-4+deb8u1.dsc 99e9ba0b2e72b28da7de6b14f103302e7b392a5d 1528647 libapache-mod-jk_1.2.37.orig.tar.gz 8e630adb50c290c2c4e67d7740a6eee27a68a250 13708 libapache-mod-jk_1.2.37-4+deb8u1.debian.tar.xz 19ab786baf24228b1126ab5fb2bb2ff207fb295f 167312 libapache-mod-jk-doc_1.2.37-4+deb8u1_all.deb Checksums-Sha256: a2e1023a1515c8214570668898c256d44a10af837c2cef3261fdace69c317759 2197 libapache-mod-jk_1.2.37-4+deb8u1.dsc 38a92623ddd28b85bbf54cf77f4c867ccbebafb71233131471623691e4e751f9 1528647 libapache-mod-jk_1.2.37.orig.tar.gz 3ccedf8dbd4d2e9207fe60bc1933c08cefac21ed8e10da15c96f7b28abf87b9e 13708 libapache-mod-jk_1.2.37-4+deb8u1.debian.tar.xz 20075788fb3c2f065f7701ef8b1ed039a004bf0430ac25159b440daab1a1e208 167312 libapache-mod-jk-doc_1.2.37-4+deb8u1_all.deb Files: 77484e9e4174767c6fc1796b785f7040 2197 httpd optional libapache-mod-jk_1.2.37-4+deb8u1.dsc 64c3803477b47c5b7ef7f0e4a416e45e 1528647 httpd optional libapache-mod-jk_1.2.37.orig.tar.gz d175d11f794de7b9f363c75ed077c943 13708 httpd optional libapache-mod-jk_1.2.37-4+deb8u1.debian.tar.xz f40121d179c7ec9430a6af1a913f7712 167312 doc optional libapache-mod-jk-doc_1.2.37-4+deb8u1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVbLIvAAoJEAVMuPMTQ89EbbAP/iPvc7VR/OAPK+CvUMi5sKdx IZyiSnZOFW4um4YvAXe+c+bMNTz2P4sr8Ckjst+x153bH6Mcjs5tw7hqlAlfRLDH 2RsZHcnrHp4vOPf2jvDXLE3qKaPohfY2aMTi7wuVb946YqOaHyQG0aIrxDT0IvbK Izd5cFgiGr7OIeJRpJGka/oADM4ZaJ3zox1OFin1xvVc2IwWtLxVj0baWipb6k/A uTGzelEqprE3alQ+KOUq+r4ahVBVrZ6g8pIxfYyTqWyl4QNtuIzqzjxNTMwMWdxE iz/d9tXizL2xzznAcNrYVUD2yDbIfhngRKr4D9wPtUZBg4QrXPYv1bFQ5TCAkSRZ nhX60t8Hm8V+Y1ZiueKGhK9jppCYTv91V5ynNhltlNL+GLxXih/SesHru7bKpRKC m/7ul/J0Y2ueEK/2ng9yxqQGuMXAs3HGoDpqJ2v7MYSU2wvnmA4dqq/FJLu+j/Lc mzYEAt79YrdFQjP6R1j3VwJEUHT8wujrsSBtlQV0XaF+jmT2uMYpLIvJo1/UKG6K o5bU2Hn982uHBAj/jJQDASZQQxyzF8rrvgvop0VSkqsXIe5AgAZh/8NJ2x713/fa n4hxWk375nNVv6K5217r0qtkc7zFNUXAZlJ15Og21xRHdFfSNNm3h+v6sEQTSg1s zZmM670vmu5vHcyhvOm7 =y4/r -----END PGP SIGNATURE-----
--- End Message ---
