CVE-2014-8111: mod_jk ignores JkUnmount rules for subtrees of previous JkMount rules

Debian Bug report logs - #783233
CVE-2014-8111: mod_jk ignores JkUnmount rules for subtrees of previous JkMount rules

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: submit@bugs.debian.org

Subject: CVE-2014-8111: mod_jk ignores JkUnmount rules for subtrees of previous JkMount rules

Date: Fri, 24 Apr 2015 12:11:40 +0200

Source: libapache-mod-jk
Severity: serious 
Tags: security

Hi,

the following vulnerability was published for libapache-mod-jk.

CVE-2014-8111[0]:
| Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount
| rules for subtrees of previous JkMount rules, which allows remote
| attackers to access otherwise restricted artifacts via unspecified
| vectors.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-8111
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8111
    Please adjust the affected versions in the BTS as needed.

The upstream fix is here: http://svn.apache.org/r1647017

Feel freet to lower the severiy if you believe the issue to be minor. I'm
not familiar enough with the software to be able to judge.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #12 received at 783233@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: 783233@bugs.debian.org

Subject: Re: CVE-2014-8111: mod_jk ignores JkUnmount rules for subtrees of previous JkMount rules

Date: Wed, 20 May 2015 20:04:56 +0200

[Message part 1 (text/plain, inline)]

On Fri, 24 Apr 2015 12:11:40 +0200 Raphael Hertzog <hertzog@debian.org>
wrote:
> Source: libapache-mod-jk
> Severity: serious 
> Tags: security
> 
> Hi,
> 
> the following vulnerability was published for libapache-mod-jk.
> 
> CVE-2014-8111[0]:
> | Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount
> | rules for subtrees of previous JkMount rules, which allows remote
> | attackers to access otherwise restricted artifacts via unspecified
> | vectors.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2014-8111
>     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8111
>     Please adjust the affected versions in the BTS as needed.
> 
> The upstream fix is here: http://svn.apache.org/r1647017
> 
> Feel freet to lower the severiy if you believe the issue to be minor. I'm
> not familiar enough with the software to be able to judge.

This bug is only fixed in upstream's version control system. Version
1.2.41 hasn't been released yet.

If nobody has any objections, I'm going ahead and package a SVN snapshot
of libapache-mod-jk. I will also try to fix the version in wheezy and
possibly squeeze.

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #17 received at 783233@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: "debian-java@lists.debian.org" <debian-java@lists.debian.org>

Cc: 783233@bugs.debian.org

Subject: RFS: libapache-mod-jk 1:1.2.40+svn150520-1 [RC]

Date: Thu, 21 May 2015 22:00:37 +0200

[Message part 1 (text/plain, inline)]

Control: tags -1 pending

Hi,

I have prepared a new upstream release of libapache-mod-jk which fixes
RC bug #783233, better known as CVE-2014-8111. I would be glad if
someone reviewed the package and uploaded it to unstable.

https://security-tracker.debian.org/tracker/source-package/libapache-mod-jk

https://anonscm.debian.org/viewvc/pkg-java/trunk/libapache-mod-jk/

Version 1.2.41 hasn't been released yet, so I prepared a SVN snapshot.

"It was discovered that a JkUnmount rule for a subtree of a previous
JkMount rule could be ignored. This could allow a remote attacker to
potentially access a private artifact in a tree that would otherwise not
be accessible to them."

The new version adds new JkOptions to the apache2 module mod_jk and
disables the unsafe handling of adjacent slashes by default now. The
changes can be adjusted in /etc/apache2/mods-available/jk.conf.

The patch for fixing this bug is available here:

https://svn.apache.org/viewvc?view=revision&revision=1647017

I intend to prepare further uploads for jessie, wheezy and squeeze, if
possible.

Changelog:

* Team upload.
  * Imported Upstream SVN snapshot version 1.2.40+svn150520.
    - Fix CVE-2014-8111: (Closes: #783233)
      Apache Tomcat Connectors (mod_jk) ignored JkUnmount rules for
      subtrees of previous JkMount rules, which allows remote attackers
      to access otherwise restricted artifacts via unspecified vectors.
  * debian/control: Build-Depend on debhelper >= 9.
  * Remove source.lintian-overrides since we now build-depend on
    debhelper >=9.
  * Drop 0004-corrupted-worker-activation-status.patch. Fixed upstream.
  * debian/rules:
    - Disable sed command in debian/rules. Apparently not necessary for
      this release.
    - Run buildconf.sh before dh_auto_configure step since this is a
      requirement for building SVN snapshots.
    - Update dh_auto_clean override. Ensure that the package can be
      built twice in a row.
  * debian/control:
    - Add autoconf to Build-Depends.
    - Add automake to Build-Depends.
    - Remove Conflicts and Replaces fields because they are obsolete.
  * Add disable-libtool-check.patch and fix a FTBFS. We already
    build-depend on libtool but the script is not smart enough.
  * Add fix-privacy-breach.patch and fix lintian errors about "privacy
    breach logo".
  * Update debian/copyright information. Add missing BSD-3-clause
    license.
  * Add README.source.

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #24 received at 783233@bugs.debian.org (full text, mbox, reply):

From: tony mancill <tmancill@debian.org>

To: 783233@bugs.debian.org

Subject: Re: Bug#783233: RFS: libapache-mod-jk 1:1.2.40+svn150520-1 [RC]

Date: Thu, 21 May 2015 22:06:27 -0700

[Message part 1 (text/plain, inline)]

On 05/21/2015 01:00 PM, Markus Koschany wrote:
> Control: tags -1 pending
> 
> Hi,
> 
> I have prepared a new upstream release of libapache-mod-jk which fixes
> RC bug #783233, better known as CVE-2014-8111. I would be glad if
> someone reviewed the package and uploaded it to unstable.

Hello Markus,

Thank you for your efforts here.  I have reviewed the packaging and
differences against the current version, and have sponsored the upload
to unstable.

There is a lintian warning for "apache2-deprecated-auth-config", but I
think it can be addressed in a subsequent upload.

Cheers,
tony

[signature.asc (application/pgp-signature, attachment)]

Message #29 received at 783233-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: 783233-close@bugs.debian.org

Subject: Bug#783233: fixed in libapache-mod-jk 1:1.2.40+svn150520-1

Date: Fri, 22 May 2015 05:18:52 +0000

Source: libapache-mod-jk
Source-Version: 1:1.2.40+svn150520-1

We believe that the bug you reported is fixed in the latest version of
libapache-mod-jk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 783233@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@gambaru.de> (supplier of updated libapache-mod-jk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 21 May 2015 17:53:24 +0200
Source: libapache-mod-jk
Binary: libapache2-mod-jk libapache-mod-jk-doc
Architecture: source all amd64
Version: 1:1.2.40+svn150520-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@gambaru.de>
Description:
 libapache-mod-jk-doc - Documentation of libapache2-mod-jk package
 libapache2-mod-jk - Apache 2 connector for the Tomcat Java servlet engine
Closes: 783233
Changes:
 libapache-mod-jk (1:1.2.40+svn150520-1) unstable; urgency=high
 .
   * Team upload.
   * Imported Upstream SVN snapshot version 1.2.40+svn150520.
     - Fix CVE-2014-8111: (Closes: #783233)
       Apache Tomcat Connectors (mod_jk) ignored JkUnmount rules for subtrees of
       previous JkMount rules, which allows remote attackers to access otherwise
       restricted artifacts via unspecified vectors.
   * debian/control: Build-Depend on debhelper >= 9.
   * Remove source.lintian-overrides since we now build-depend on debhelper >=9.
   * Drop 0004-corrupted-worker-activation-status.patch. Fixed upstream.
   * debian/rules:
     - Disable sed command in debian/rules. Apparently not necessary for this
       release.
     - Run buildconf.sh before dh_auto_configure step since this is a requirement
       for building SVN snapshots.
     - Update dh_auto_clean override. Ensure that the package can be built twice
       in a row.
   * debian/control:
     - Add autoconf to Build-Depends.
     - Add automake to Build-Depends.
     - Remove Conflicts and Replaces fields because they are obsolete.
   * Add disable-libtool-check.patch and fix a FTBFS. We already build-depend on
     libtool but the script is not smart enough.
   * Add fix-privacy-breach.patch and fix lintian errors about "privacy breach
     logo".
   * Update debian/copyright information. Add missing BSD-3-clause license.
   * Add README.source.
Checksums-Sha1:
 02223ab09d0ac9f826d6a7db1e04058a951b69e7 2254 libapache-mod-jk_1.2.40+svn150520-1.dsc
 e6b595d75a3767d2ec228506b801ec6c1f90b7b8 1045078 libapache-mod-jk_1.2.40+svn150520.orig.tar.gz
 479ad05498daad7438b9f15e6041141f83f33bbc 10872 libapache-mod-jk_1.2.40+svn150520-1.debian.tar.xz
 0ce1145629a7a99b2823a7c02197b045ccf4dd59 175898 libapache-mod-jk-doc_1.2.40+svn150520-1_all.deb
 7d93a052f5a9eb2132a835cb7eff8abcd9541362 163466 libapache2-mod-jk_1.2.40+svn150520-1_amd64.deb
Checksums-Sha256:
 e8b76f655b5c30ef8693711c39888f2917b6a400360c68db3ccdcbb2e11fab83 2254 libapache-mod-jk_1.2.40+svn150520-1.dsc
 883967f985505a77c9dc0802e733785a92a12e8cab1f04bab959d1b1b7d1dc73 1045078 libapache-mod-jk_1.2.40+svn150520.orig.tar.gz
 59545ce6e726ac8acd461510796c6ed547090632066a566fd46bef231ccd9325 10872 libapache-mod-jk_1.2.40+svn150520-1.debian.tar.xz
 ca6d67e437bcf8ff67894123b6826a8994132dba4efeb33d9a8b383d2d0ac75c 175898 libapache-mod-jk-doc_1.2.40+svn150520-1_all.deb
 8a1d960fa25006c1c91b69fd4a240143ccdd758fbcb3851cb7f361c1600d50ae 163466 libapache2-mod-jk_1.2.40+svn150520-1_amd64.deb
Files:
 25762e31365b75121063590c0322bffc 2254 httpd optional libapache-mod-jk_1.2.40+svn150520-1.dsc
 73e6d5ae79169578b053f190d7913604 1045078 httpd optional libapache-mod-jk_1.2.40+svn150520.orig.tar.gz
 409e1f2cb6a2933e72be26d92d311f4c 10872 httpd optional libapache-mod-jk_1.2.40+svn150520-1.debian.tar.xz
 fb1e64506b82a90b7f031b4233eaa38c 175898 doc optional libapache-mod-jk-doc_1.2.40+svn150520-1_all.deb
 486138d37185cbc4951384723eba3f95 163466 httpd optional libapache2-mod-jk_1.2.40+svn150520-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVXrhrAAoJECHSBYmXSz6WilMP/3R+30lZOUhvG6aDQemfCSNl
RzWUxMK8EuujDGPVY58Zra/4MpAJ1oGXHvwSTtsiE6snXhW/f35MmvNyUVVohnFQ
2nNLm/kaKsRxsRrdT7XrYApAlWbliJZy3uAiTWW48ObPQYmzePQWfFheVt0dXDrQ
2EdiCMeSQQ14+G5iu3u70b89Hqu/JVVhI5JGOePsYP6ZHycJSMdjHkvqTBg6p7YM
O77cef6EDFGsOMBhMD9EtXTVUejv8ZIZvE862itiKCWOpgtkAOHZ4Xc8XJyxrrIJ
xYwTYdwaqHSFgnpxgDl75PY0x4VMIsi/wL68l/aFvQ0jNkP6IRYqXSzOSKZSJFN/
NI57hHg3WtTwIPqg71Tcql9o4mPBga41tww940IHfr1gD1KfOnGqLCHNvXudym0z
wpQEWe+8j24q2MneANMXGJKgTgtWz4Z+9KgkGCdn9qBZDbZxeUcswrw4XVABrfqg
5Vli509X4p80EpOLFqPgcAlbfDo3JSyvl06aBMbQtus5JRhbPXMoZluC49tAOsU2
GmiajyuYKguLgVeqVOYiS2U3QrzC2nOHIt/02q8SpBGpIza8MHj0zuKCqAHnVxWS
QeiZ4D66LFaZeg7ctSMOZwCXANXZNSJDbfNLBYAJpzKJUyO8LiEyG8DgDegmoXw7
z9y23yhKBgQhE3HlnUZM
=tHFm
-----END PGP SIGNATURE-----

Message #34 received at 783233@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: tony mancill <tmancill@debian.org>

Cc: 783233@bugs.debian.org

Subject: Re: Bug#783233: RFS: libapache-mod-jk 1:1.2.40+svn150520-1 [RC]

Date: Fri, 22 May 2015 11:17:36 +0200

[Message part 1 (text/plain, inline)]

On 22.05.2015 07:06, tony mancill wrote:
> On 05/21/2015 01:00 PM, Markus Koschany wrote:
>> Control: tags -1 pending
>>
>> Hi,
>>
>> I have prepared a new upstream release of libapache-mod-jk which fixes
>> RC bug #783233, better known as CVE-2014-8111. I would be glad if
>> someone reviewed the package and uploaded it to unstable.
> 
> Hello Markus,
> 
> Thank you for your efforts here.  I have reviewed the packaging and
> differences against the current version, and have sponsored the upload
> to unstable.
> 
> There is a lintian warning for "apache2-deprecated-auth-config", but I
> think it can be addressed in a subsequent upload.

Hi tony,

thank you. I was not sure about "apache2-deprecated-auth-config" and
didn't want to diverge from upstream in this case. I will open a bug
report for this warning and forward it upstream. Let's see what they
think about it.

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #43 received at 783233-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: 783233-close@bugs.debian.org

Subject: Bug#783233: fixed in libapache-mod-jk 1:1.2.37-1+deb7u1

Date: Sun, 07 Jun 2015 17:47:28 +0000

Source: libapache-mod-jk
Source-Version: 1:1.2.37-1+deb7u1

We believe that the bug you reported is fixed in the latest version of
libapache-mod-jk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 783233@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@gambaru.de> (supplier of updated libapache-mod-jk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 23 May 2015 23:33:30 +0200
Source: libapache-mod-jk
Binary: libapache2-mod-jk libapache-mod-jk-doc
Architecture: source amd64 all
Version: 1:1.2.37-1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@gambaru.de>
Description: 
 libapache-mod-jk-doc - Documentation of libapache2-mod-jk package
 libapache2-mod-jk - Apache 2 connector for the Tomcat Java servlet engine
Closes: 783233
Changes: 
 libapache-mod-jk (1:1.2.37-1+deb7u1) wheezy-security; urgency=high
 .
   * Team upload.
   * Add CVE-2014-8111.patch. (Closes: #783233)
     It was discovered that a JkUnmount rule for a subtree of a previous JkMount
     rule could be ignored. This could allow a remote attacker to potentially
     access a private artifact in a tree that would otherwise not be accessible
     to them.
     - Add option to control handling of multiple adjacent slashes in mount and
       unmount. New default is collapsing the slashes only in unmount. Before
       this change, adjacent slashes were never collapsed, so most mounts and
       unmounts didn't match for URLs with multiple adjacent slashes.
     - Configuration is done via new JkOption for Apache (values
       "CollapseSlashesAll", "CollapseSlashesNone" or "CollapseSlashesUnmount").
Checksums-Sha1: 
 acc483a8e6ff8ee1feafe877ef1b1795874fbda0 2176 libapache-mod-jk_1.2.37-1+deb7u1.dsc
 cf5e40ca23c9748adbd150efa7d1a64b8ecd2124 14967 libapache-mod-jk_1.2.37-1+deb7u1.debian.tar.gz
 56d0961c527b8d8e722729317a16a4183acb6bf6 173826 libapache2-mod-jk_1.2.37-1+deb7u1_amd64.deb
 372e1e6650c5aa0344e1ffd3978a3b8373bbec7d 216000 libapache-mod-jk-doc_1.2.37-1+deb7u1_all.deb
Checksums-Sha256: 
 40d06a33c2e017393fe2daabea6d0855f298076d4af894361c6c38f2dc912502 2176 libapache-mod-jk_1.2.37-1+deb7u1.dsc
 d2dfa1fe7e6b847ef4bdb95f0e7036bbfb25dd235b1bbf57fab3a54925478220 14967 libapache-mod-jk_1.2.37-1+deb7u1.debian.tar.gz
 be88b82a93ff691975e3fe491ab1a6dc56bc25c894fc6d1def89c193c80b4e65 173826 libapache2-mod-jk_1.2.37-1+deb7u1_amd64.deb
 c306561370fbe8204fe55f2f1c04be8d7d9f89c3a7a38fb9f10aa84634d8df77 216000 libapache-mod-jk-doc_1.2.37-1+deb7u1_all.deb
Files: 
 108b6be8e6928d43d7bb47fb2d597230 2176 httpd optional libapache-mod-jk_1.2.37-1+deb7u1.dsc
 229b7cc7e92d979429066877a6f1daee 14967 httpd optional libapache-mod-jk_1.2.37-1+deb7u1.debian.tar.gz
 05f6fcf891f35cd49942c06b2a8e9afd 173826 httpd optional libapache2-mod-jk_1.2.37-1+deb7u1_amd64.deb
 dc94242db1ecc82c47a419175a235753 216000 doc optional libapache-mod-jk-doc_1.2.37-1+deb7u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVbLSNAAoJEAVMuPMTQ89EDpYP/0ODpHVpxNUQVr5ZruNGsffn
hFICr/kVOiO4BxgNM5U1rg4bqIAoz8wpPTvlWkXg6AOjsgKtp+KybhDE7W6Kyl7X
87XsZ1uuSHdSobVG1pGtmewLLkCt6aHXI2zhgrc9n0JuC9AA+R/Wwt7QCHmGZ2hh
2ISXjvL11AXFCvwFehHuABvfX0fM80MFW74ELkvibuDiQ8q0g+o1CPQOi+iaBlef
RHTpb6FuynTs+G2Ixqcz8kNcKXO3+QrjIFoPnXHySS6viJBYU8kvo+7ZctaAGHbW
NHBKHLcZTE+C9kkBskRqkQNGIwx2vAEVutz3C9iycVcxAJCp8L95CCSp6RjumFT2
SmPnutiElG7OKOmTQ88JfS1HBsFLZXdGSg98NR/v6DK2gg1/TWUzE7l05abU4Nfe
SiYo83LEhmIzbWF19NJmvcat1PRSFEt1M0jnbgmP4+qg31sy1ThEPw2TPuRhs0Gx
fQYTNJR2ZzPmwr+AFnhNt36z3lbLVP7PNnQRjmpkVekhEG3dyq7LBJgd+IF1MW7a
wXFv5T54VPRmkxDloBv7oweu/cM3cSBxC+455SF4l+V159WrPLG8+RnpG3/PPDLB
K5B4i2+1fOPUK9NBovkgvlSSnDchOjEU5Q0CMWGGokfY/QlKzQsZYX7T869vg0Mb
ukIFCHBSPDGHJz1Z7eZH
=Pczb
-----END PGP SIGNATURE-----

Message #48 received at 783233-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: 783233-close@bugs.debian.org

Subject: Bug#783233: fixed in libapache-mod-jk 1:1.2.37-4+deb8u1

Date: Sun, 07 Jun 2015 19:02:05 +0000

Source: libapache-mod-jk
Source-Version: 1:1.2.37-4+deb8u1

We believe that the bug you reported is fixed in the latest version of
libapache-mod-jk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 783233@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@gambaru.de> (supplier of updated libapache-mod-jk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 23 May 2015 01:16:37 +0200
Source: libapache-mod-jk
Binary: libapache2-mod-jk libapache-mod-jk-doc
Architecture: source amd64 all
Version: 1:1.2.37-4+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@gambaru.de>
Description:
 libapache-mod-jk-doc - Documentation of libapache2-mod-jk package
 libapache2-mod-jk - Apache 2 connector for the Tomcat Java servlet engine
Closes: 783233
Changes:
 libapache-mod-jk (1:1.2.37-4+deb8u1) jessie-security; urgency=high
 .
   * Team upload.
   * Add CVE-2014-8111.patch. (Closes: #783233)
     It was discovered that a JkUnmount rule for a subtree of a previous JkMount
     rule could be ignored. This could allow a remote attacker to potentially
     access a private artifact in a tree that would otherwise not be accessible
     to them.
     - Add option to control handling of multiple adjacent slashes in mount and
       unmount. New default is collapsing the slashes only in unmount. Before
       this change, adjacent slashes were never collapsed, so most mounts and
       unmounts didn't match for URLs with multiple adjacent slashes.
     - Configuration is done via new JkOption for Apache
       (values "CollapseSlashesAll", "CollapseSlashesNone" or
       "CollapseSlashesUnmount").
Checksums-Sha1:
 e73308fe64a73c73feb836c3702cab372ef9c8ba 2197 libapache-mod-jk_1.2.37-4+deb8u1.dsc
 99e9ba0b2e72b28da7de6b14f103302e7b392a5d 1528647 libapache-mod-jk_1.2.37.orig.tar.gz
 8e630adb50c290c2c4e67d7740a6eee27a68a250 13708 libapache-mod-jk_1.2.37-4+deb8u1.debian.tar.xz
 19ab786baf24228b1126ab5fb2bb2ff207fb295f 167312 libapache-mod-jk-doc_1.2.37-4+deb8u1_all.deb
Checksums-Sha256:
 a2e1023a1515c8214570668898c256d44a10af837c2cef3261fdace69c317759 2197 libapache-mod-jk_1.2.37-4+deb8u1.dsc
 38a92623ddd28b85bbf54cf77f4c867ccbebafb71233131471623691e4e751f9 1528647 libapache-mod-jk_1.2.37.orig.tar.gz
 3ccedf8dbd4d2e9207fe60bc1933c08cefac21ed8e10da15c96f7b28abf87b9e 13708 libapache-mod-jk_1.2.37-4+deb8u1.debian.tar.xz
 20075788fb3c2f065f7701ef8b1ed039a004bf0430ac25159b440daab1a1e208 167312 libapache-mod-jk-doc_1.2.37-4+deb8u1_all.deb
Files:
 77484e9e4174767c6fc1796b785f7040 2197 httpd optional libapache-mod-jk_1.2.37-4+deb8u1.dsc
 64c3803477b47c5b7ef7f0e4a416e45e 1528647 httpd optional libapache-mod-jk_1.2.37.orig.tar.gz
 d175d11f794de7b9f363c75ed077c943 13708 httpd optional libapache-mod-jk_1.2.37-4+deb8u1.debian.tar.xz
 f40121d179c7ec9430a6af1a913f7712 167312 doc optional libapache-mod-jk-doc_1.2.37-4+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVbLIvAAoJEAVMuPMTQ89EbbAP/iPvc7VR/OAPK+CvUMi5sKdx
IZyiSnZOFW4um4YvAXe+c+bMNTz2P4sr8Ckjst+x153bH6Mcjs5tw7hqlAlfRLDH
2RsZHcnrHp4vOPf2jvDXLE3qKaPohfY2aMTi7wuVb946YqOaHyQG0aIrxDT0IvbK
Izd5cFgiGr7OIeJRpJGka/oADM4ZaJ3zox1OFin1xvVc2IwWtLxVj0baWipb6k/A
uTGzelEqprE3alQ+KOUq+r4ahVBVrZ6g8pIxfYyTqWyl4QNtuIzqzjxNTMwMWdxE
iz/d9tXizL2xzznAcNrYVUD2yDbIfhngRKr4D9wPtUZBg4QrXPYv1bFQ5TCAkSRZ
nhX60t8Hm8V+Y1ZiueKGhK9jppCYTv91V5ynNhltlNL+GLxXih/SesHru7bKpRKC
m/7ul/J0Y2ueEK/2ng9yxqQGuMXAs3HGoDpqJ2v7MYSU2wvnmA4dqq/FJLu+j/Lc
mzYEAt79YrdFQjP6R1j3VwJEUHT8wujrsSBtlQV0XaF+jmT2uMYpLIvJo1/UKG6K
o5bU2Hn982uHBAj/jJQDASZQQxyzF8rrvgvop0VSkqsXIe5AgAZh/8NJ2x713/fa
n4hxWk375nNVv6K5217r0qtkc7zFNUXAZlJ15Og21xRHdFfSNNm3h+v6sEQTSg1s
zZmM670vmu5vHcyhvOm7
=y4/r
-----END PGP SIGNATURE-----

Message #53 received at 783233-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: 783233-close@bugs.debian.org

Subject: Bug#783233: fixed in libapache-mod-jk 1:1.2.30-1squeeze2

Date: Tue, 09 Jun 2015 18:20:41 +0000

Source: libapache-mod-jk
Source-Version: 1:1.2.30-1squeeze2

We believe that the bug you reported is fixed in the latest version of
libapache-mod-jk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 783233@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@gambaru.de> (supplier of updated libapache-mod-jk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 30 May 2015 14:54:17 +0200
Source: libapache-mod-jk
Binary: libapache2-mod-jk libapache-mod-jk-doc
Architecture: source amd64 all
Version: 1:1.2.30-1squeeze2
Distribution: squeeze-lts
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@gambaru.de>
Description: 
 libapache-mod-jk-doc - Documentation of libapache2-mod-jk package
 libapache2-mod-jk - Apache 2 connector for the Tomcat Java servlet engine
Closes: 783233
Changes: 
 libapache-mod-jk (1:1.2.30-1squeeze2) squeeze-lts; urgency=high
 .
   * Team upload.
   * Add CVE-2014-8111.patch. (Closes: #783233)
     It was discovered that a JkUnmount rule for a subtree of a previous JkMount
     rule could be ignored. This could allow a remote attacker to potentially
     access a private artifact in a tree that would otherwise not be accessible
     to them.
     - Add option to control handling of multiple adjacent slashes in mount and
       unmount. New default is collapsing the slashes only in unmount. Before
       this change, adjacent slashes were never collapsed, so most mounts and
       unmounts didn't match for URLs with multiple adjacent slashes.
     - Configuration is done via new JkOption for Apache (values
       "CollapseSlashesAll", "CollapseSlashesNone" or "CollapseSlashesUnmount").
Checksums-Sha1: 
 8d5dddce79011cfc20ae3d2baa997d07df295b58 1744 libapache-mod-jk_1.2.30-1squeeze2.dsc
 b57591b951087d9502598b7ed6a018afa6169bba 27160 libapache-mod-jk_1.2.30-1squeeze2.debian.tar.gz
 6c98e16119527b77689bf085de24823bb62e6352 149872 libapache2-mod-jk_1.2.30-1squeeze2_amd64.deb
 5d0fdbb12a79936035ca3a44ca46ded0467ab67c 198866 libapache-mod-jk-doc_1.2.30-1squeeze2_all.deb
Checksums-Sha256: 
 227bb12286f4c8fdfd4028c61c486ed2a4feebd5898349ea2a6dab4c60bf307d 1744 libapache-mod-jk_1.2.30-1squeeze2.dsc
 74ae308272d61c1576d3ab462746ae43cdb13660e5a9056e42ab6f25ceefb80e 27160 libapache-mod-jk_1.2.30-1squeeze2.debian.tar.gz
 31284d2e5f591e74bf6fe0b8299bd97be995c2c0e7355b48219514debffeb7a0 149872 libapache2-mod-jk_1.2.30-1squeeze2_amd64.deb
 6019a3dd06d098cd0d155b3c4994424423df4fa8f57cca8179a2a2f7428372b2 198866 libapache-mod-jk-doc_1.2.30-1squeeze2_all.deb
Files: 
 451bdd8c8783af9d5c5b4fe2b3e798ba 1744 web optional libapache-mod-jk_1.2.30-1squeeze2.dsc
 51cefd9cfeccbcb9a7536e321f5755be 27160 web optional libapache-mod-jk_1.2.30-1squeeze2.debian.tar.gz
 4bf17109c88f5c3da583fb884b37e66b 149872 web optional libapache2-mod-jk_1.2.30-1squeeze2_amd64.deb
 f05811464da69440a2d257127981e0af 198866 doc optional libapache-mod-jk-doc_1.2.30-1squeeze2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Signed by Raphael Hertzog

iQEcBAEBCAAGBQJVdxE8AAoJEAOIHavrwpq50cUH/0oqxdFCWbHJ3DuFH+QuyjEv
EkT9j6mmbsuBl4ZQuF408SjvWzd/51KGgh4NYriN4WKLNgGOqznHPxAAwsfRciT8
WxwbUgCG0UMbM0WjzMuoZH4BvI/Wa6oeOA292dgO8GB3oZhTQGwVcuqftLrlnaIu
jT/S8CYaHeVHSLW3lrZ0oc6JwX1dq6VDkZ39bcH1SR7pq0fqLCcqux3UpToba9Fb
gmFrgzMxHRAAKMoDkZSPbSpONtuKMZsoWclxDG0FHmE1B92Gvl+xg9r/H1Yh+9VJ
yaHmGRGn39oIDsG0xPQHKef8+pADYEuIUJ3PN4lxRMT6MotJjbjDvgdoTZBA9YQ=
=eop/
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.