Debian Bug report logs -
#1051956
libapache-mod-jk: CVE-2023-41081
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 14 Sep 2023 19:09:02 UTC
Severity: important
Tags: security, upstream
Found in version libapache-mod-jk/1:1.2.48-2
Fixed in version libapache-mod-jk/1:1.2.49-1
Done: Markus Koschany <apo@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#1051956; Package src:libapache-mod-jk.
(Thu, 14 Sep 2023 19:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Thu, 14 Sep 2023 19:09:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libapache-mod-jk
Version: 1:1.2.48-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for libapache-mod-jk.
CVE-2023-41081[0]:
| The mod_jk component of Apache Tomcat Connectors in some
| circumstances, such as when a configuration included "JkOptions
| +ForwardDirectories" but the configuration did not provide
| explicit mounts for all possible proxied requests, mod_jk would
| use an implicit mapping and map the request to the first defined
| worker. Such an implicit mapping could result in the unintended
| exposure of the status worker and/or bypass security constraints
| configured in httpd. As of JK 1.2.49, the implicit mapping
| functionality has been removed and all mappings must now be via
| explicit configuration. Only mod_jk is affected by this issue. The
| ISAPI redirector is not affected. This issue affects Apache Tomcat
| Connectors (mod_jk only): from 1.2.0 through 1.2.48. Users are
| recommended to upgrade to version 1.2.49, which fixes the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-41081
https://www.cve.org/CVERecord?id=CVE-2023-41081
[1] https://lists.apache.org/thread/rd1r26w7271jyqgzr4492tooyt583d8b
[2] http://www.openwall.com/lists/oss-security/2023/09/13/2
[3] https://tomcat.apache.org/security-jk.html#Fixed_in_Apache_Tomcat_JK_Connector_1.2.49
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Thu, 14 Sep 2023 23:09:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 14 Sep 2023 23:09:03 GMT) (full text, mbox, link).
Message #10 received at 1051956-close@bugs.debian.org (full text, mbox, reply):
Source: libapache-mod-jk
Source-Version: 1:1.2.49-1
Done: Markus Koschany <apo@debian.org>
We believe that the bug you reported is fixed in the latest version of
libapache-mod-jk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1051956@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated libapache-mod-jk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 15 Sep 2023 00:25:01 +0200
Source: libapache-mod-jk
Architecture: source
Version: 1:1.2.49-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Closes: 1051956
Changes:
libapache-mod-jk (1:1.2.49-1) unstable; urgency=high
.
* New upstream version 1.2.49.
- Fix CVE-2023-41081:
The mod_jk component of Apache Tomcat Connectors in some circumstances,
such as when a configuration included "JkOptions +ForwardDirectories" but
the configuration did not provide explicit mounts for all possible
proxied requests, mod_jk would use an implicit mapping and map the
request to the first defined worker. Such an implicit mapping could
result in the unintended exposure of the status worker and/or bypass
security constraints configured in httpd. As of JK 1.2.49, the implicit
mapping functionality has been removed and all mappings must now be via
explicit configuration. (Closes: #1051956)
Thanks to Salvatore Bonaccorso for the report.
Checksums-Sha1:
56a34e3f63065b09fe365652ebf36e45ea79f911 2545 libapache-mod-jk_1.2.49-1.dsc
25dd674678c424053bca903298d19a3aa1b19b7a 1702479 libapache-mod-jk_1.2.49.orig.tar.gz
0673e5bfba631803510cf8acfca4f05ab30a2495 873 libapache-mod-jk_1.2.49.orig.tar.gz.asc
8c05751a3d16294caf10ba2cefdf705ffc12defc 60712 libapache-mod-jk_1.2.49-1.debian.tar.xz
f93d4e6e0b85eb12b9108b1229a1c0b9f2ecf13f 11195 libapache-mod-jk_1.2.49-1_amd64.buildinfo
Checksums-Sha256:
2117d18c98b709010d8568e820be14f646c3572a8432e719b3f790f80352053b 2545 libapache-mod-jk_1.2.49-1.dsc
43cb0283c92878e9d4ef110631dbd2beb6b55713c127ce043190b2b308757e9c 1702479 libapache-mod-jk_1.2.49.orig.tar.gz
ba9d62262983873aa780aea48332c98b76f888c95016bb50a6ab7ca7497758e3 873 libapache-mod-jk_1.2.49.orig.tar.gz.asc
f9e2e1542761c272019cea95ec94941c7f1e304c2bbb1ba89dac9f76a1ea5598 60712 libapache-mod-jk_1.2.49-1.debian.tar.xz
b4db2e846ded617f7d58d3edf786b7614d45f01989d883615cea63aafe617e4f 11195 libapache-mod-jk_1.2.49-1_amd64.buildinfo
Files:
4ce3ac9cb2a85103cdc802b56635f36a 2545 httpd optional libapache-mod-jk_1.2.49-1.dsc
305f10b491c38f7e9615e832c2f4f336 1702479 httpd optional libapache-mod-jk_1.2.49.orig.tar.gz
b7242bca860d92831f9b19d65eba3656 873 httpd optional libapache-mod-jk_1.2.49.orig.tar.gz.asc
ebe4ce95bba98d2c55d16396d5a75a2b 60712 httpd optional libapache-mod-jk_1.2.49-1.debian.tar.xz
6852a91e8d1d3718e19a4eb448e4f656 11195 httpd optional libapache-mod-jk_1.2.49-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUDjERfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkgWwP/1EqT4bPb6T1qNC/LF39b8wQSSbONby+XVph
NsSBswkx/CPbUY3ZGviCgoZVC3StdzHpc+nQbCjgp0pWJlw7ut0/4Dzv2zw5wILP
t79rjN+SciqpiRz1lU/h/B2swQUUXlzTgaRvpJ4Ke7Vqyx99lAokmeXt8RJLQECQ
U0LRFb54Siq6p4hldwwkAb4l1l8Qro+2IwDxaxHvobD1aAkmD9ipSGE0hET7iDQW
cquuCxu1lMs02eNQ6nHba5yaCboJgjArhdnYwwn1+1oZMuiZLEcv4E6LbJzCFnp0
PoD3ejzdJOjXjgRZEFj2xquBXlvTDoAT2t0X+S910AemjwwM4OmsmwgsKWUH0IkQ
Q9yveqcn/uAXjXV3C/e+bbQY53eiCQzyZjlA1bKaCKVgBq3kO38Rpkop/pR5sSSK
xpRGDlP7FLw9l1ZlcwdhHGzoKCVK5a9nteHFUswtkHxqbs86C7W24fjvK0LlM5L1
KonizwskPWQ1N0+l536XBpsvH6F/znTpGKcMC109FdSwGWONtUztSnvIdyG0iKTY
8YeauK0ULYhGTwaVn1nT1NCh49BpZNPSOG+l94DwtMtsKsJCQbjuXECtyFtgOSdl
rznjJ8Wjz2s1+8aiSQkdDXVq+r7APE5wszY04+zohc00C0LcwN4zK1XpQU2XqUWN
mnTb3e3L
=bqn+
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Sep 15 17:51:48 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon