Bug#1052552: bullseye-pu: package libapache-mod-jk/1:1.2.48-1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: apo@debian.org
[ Reason ]
Fixing CVE-2023-41081 in Bullseye.
Unintended exposure of the status worker and/or bypass security constraints
configured in httpd by using implicit mapping.
[ Tests ]
Implicit mapping no longer works with this update and users must
explicitly configure it. Otherwise an error message is logged now
which means the update works as intended.
[ Risks ]
Users who unintentionally relied on the implicit mapping functionality
will have to update their configuration but this is intended and
needed to avoid the bypass of other security constraints.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Regards,
Markus
diff -Nru libapache-mod-jk-1.2.48/debian/changelog libapache-mod-jk-1.2.48/debian/changelog
--- libapache-mod-jk-1.2.48/debian/changelog 2020-06-04 21:42:29.000000000 +0200
+++ libapache-mod-jk-1.2.48/debian/changelog 2023-09-24 17:09:51.000000000 +0200
@@ -1,3 +1,20 @@
+libapache-mod-jk (1:1.2.48-1+deb11u1) bullseye; urgency=high
+
+ * Fix CVE-2023-41081:
+ The mod_jk component of Apache Tomcat Connectors, an Apache 2 module to
+ forward requests from Apache to Tomcat, in some circumstances, such as when
+ a configuration included "JkOptions +ForwardDirectories" but the
+ configuration did not provide explicit mounts for all possible proxied
+ requests, mod_jk would use an implicit mapping and map the request to the
+ first defined worker. Such an implicit mapping could result in the
+ unintended exposure of the status worker and/or bypass security constraints
+ configured in httpd. As of this security update, the implicit mapping
+ functionality has been removed and all mappings must now be via explicit
+ configuration. This issue affects Apache Tomcat Connectors (mod_jk only).
+ (Closes: #1051956)
+
+ -- Markus Koschany <apo@debian.org> Sun, 24 Sep 2023 17:09:51 +0200
+
libapache-mod-jk (1:1.2.48-1) unstable; urgency=medium
* New upstream version 1.2.48.
diff -Nru libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch
--- libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch 1970-01-01 01:00:00.000000000 +0100
+++ libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch 2023-09-24 17:09:51.000000000 +0200
@@ -0,0 +1,47 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 24 Sep 2023 16:39:43 +0200
+Subject: CVE-2023-41081
+
+Bug-Debian: https://bugs.debian.org/1051956
+Origin: https://github.com/apache/tomcat-connectors/commit/0095b6cb84f41313ee4c0364b49c766168790792
+---
+ native/apache-2.0/mod_jk.c | 19 -------------------
+ 1 file changed, 19 deletions(-)
+
+diff --git a/native/apache-2.0/mod_jk.c b/native/apache-2.0/mod_jk.c
+index b755116..d9345d7 100644
+--- a/native/apache-2.0/mod_jk.c
++++ b/native/apache-2.0/mod_jk.c
+@@ -2767,17 +2767,6 @@ static int jk_handler(request_rec * r)
+ rconf->rule_extensions = e;
+ }
+ }
+- else if (worker_env.num_of_workers == 1) {
+- /** We have a single worker ( the common case ).
+- ( lb is a bit special, it should count as a single worker but
+- I'm not sure how ). We also have a manual config directive that
+- explicitly give control to us. */
+- worker_name = worker_env.worker_list[0];
+- if (JK_IS_DEBUG_LEVEL(xconf->log))
+- jk_log(xconf->log, JK_LOG_DEBUG,
+- "Single worker (%s) configuration for %s",
+- worker_name, r->uri);
+- }
+ else {
+ if (!xconf->uw_map) {
+ if (JK_IS_DEBUG_LEVEL(xconf->log))
+@@ -2804,14 +2793,6 @@ static int jk_handler(request_rec * r)
+ r->uri = clean_uri;
+ }
+ }
+-
+- if (worker_name == NULL && worker_env.num_of_workers) {
+- worker_name = worker_env.worker_list[0];
+- if (JK_IS_DEBUG_LEVEL(xconf->log))
+- jk_log(xconf->log, JK_LOG_DEBUG,
+- "Using first worker (%s) from %d workers for %s",
+- worker_name, worker_env.num_of_workers, r->uri);
+- }
+ }
+ if (worker_name)
+ apr_table_setn(r->notes, JK_NOTE_WORKER_NAME, worker_name);
diff -Nru libapache-mod-jk-1.2.48/debian/patches/series libapache-mod-jk-1.2.48/debian/patches/series
--- libapache-mod-jk-1.2.48/debian/patches/series 2020-06-04 21:42:29.000000000 +0200
+++ libapache-mod-jk-1.2.48/debian/patches/series 2023-09-24 17:09:51.000000000 +0200
@@ -1,2 +1,3 @@
0002-debianize-log-directory.patch
0003-upgrade-info-to-error-message.patch
+CVE-2023-41081.patch
Reply to: