Hello Markus, On Mon, May 25, 2015 at 12:35:04AM +0200, Markus Koschany wrote: > Hello security team, > > I have prepared two security updates for libapache-mod-jk which is > affected by CVE-2014-8111 [1] in Jessie and Wheezy. This is Debian bug > #783233 [2]. Thanks for preparing the update. > > I have already packaged a SVN snapshot for sid/stretch. A new upstream > release, 1.2.41, has not taken place yet. > > I am attaching the debdiffs to this e-mail which are identical except > that the targeted distributions are different. Therefor I have rebased > the upstream fix which can be found here: http://svn.apache.org/r1647017 > > I think the issue warrants a DSA since it is remotely exploitable > although the severity and impact are probably only moderate for most setups. Sourcewise the debdiffs looks good to me. But no I'm not really familar with the source package. Were the changes sucessfully as well tested in some (production) environment? To already look ahead: If I see it correctly, wheezy and jessie share the same original source, so https://wiki.debian.org/DebianSecurity/AdvisoryCreation/SecFull#Stable_and_oldstable_sharing_the_same_upstream_tarball will aply, so when we then go ahead, the first upload need to be build with -sa, wait to have it accepted on security-master side, and then upload the second without including the original source (otherwise there are problems when pushing the package to ftp-master from security-master). > It was discovered that a JkUnmount rule for a subtree of a previous > JkMount rule could be ignored. This could allow a remote attacker to > potentially access a private artifact in a tree that would otherwise not > be accessible to them. Please add here a introductory description of libapache-mod-jk. E.g. "An information disclosure flaw was found in mod_jk, the Tomcat Connector module for Apache. [...]" (or any improvement to this). Regards, Salvatore
Attachment:
signature.asc
Description: Digital signature