ports/109949: [patch] www/mod_jk security update to 1.2.21
Nick Barkas
snb at threerings.net
Mon Mar 5 21:10:05 UTC 2007
>Number: 109949
>Category: ports
>Synopsis: [patch] www/mod_jk security update to 1.2.21
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Mon Mar 05 21:10:05 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Nick Barkas
>Release: FreeBSD 6.1-RELEASE-p6 i386
>Organization:
Three Rings Design
>Environment:
FreeBSD lab1.earth.threerings.net 6.1-RELEASE-p6 FreeBSD 6.1-RELEASE-p6 #5: Wed Sep 13 17:45:32 PDT 2006 root at lab1.earth.threerings.net:/usr/obj/usr/src/sys/SMP i386
>Description:
The Apache Tomcat Connector versions 1.2.19 and 1.2.20 have a stack buffer overflow vulnerability in the map_uri_to_worker() in the mod_jk.so library, triggered by certain long URLs. This allows for arbitrary remote code execution.
See: http://tomcat.apache.org/security-jk.html
http://www.zerodayinitiative.com/advisories/ZDI-07-008.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0774
>How-To-Repeat:
I have not seen any specific exploits.
>Fix:
The attached patch updates the www/mod_jk port to 1.2.21, which should have this vulnerability fixed. It would probably be a good idea to make note of this vulnerability in the VuXML document, as it appears to be rather severe.
Patch attached with submission follows:
diff -urN mod_jk.orig/Makefile mod_jk/Makefile
--- mod_jk.orig/Makefile Mon Oct 9 09:09:35 2006
+++ mod_jk/Makefile Mon Mar 5 12:32:48 2007
@@ -6,7 +6,7 @@
#
PORTNAME= mod_jk
-PORTVERSION= 1.2.19
+PORTVERSION= 1.2.21
PORTREVISION= 0
PORTEPOCH?= 1
CATEGORIES= www
diff -urN mod_jk.orig/distinfo mod_jk/distinfo
--- mod_jk.orig/distinfo Mon Oct 9 09:09:35 2006
+++ mod_jk/distinfo Mon Mar 5 12:54:14 2007
@@ -1,3 +1,3 @@
-MD5 (tomcat-connectors-1.2.19-src.tar.gz) = 9c3b7135a4992c7f39d5f7aef9c25b30
-SHA256 (tomcat-connectors-1.2.19-src.tar.gz) = 7d75e357c6ff083f5b383d53475a3f14d1f6a45294bf0f2de0a8c552a04746c0
-SIZE (tomcat-connectors-1.2.19-src.tar.gz) = 1246419
+MD5 (tomcat-connectors-1.2.21-src.tar.gz) = ed65157ecbea7d3569de08611aa160eb
+SHA256 (tomcat-connectors-1.2.21-src.tar.gz) = 371908f280eeba38e64dce7bb25a398931c182b9b99976a7bb1196a8ba8b8faa
+SIZE (tomcat-connectors-1.2.21-src.tar.gz) = 1334563
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list