ports/109949: [patch] www/mod_jk security update to 1.2.21

Nick Barkas snb at threerings.net
Mon Mar 5 21:10:05 UTC 2007

>Number:         109949
>Category:       ports
>Synopsis:       [patch] www/mod_jk security update to 1.2.21
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar 05 21:10:05 GMT 2007
>Originator:     Nick Barkas
>Release:        FreeBSD 6.1-RELEASE-p6 i386
Three Rings Design
FreeBSD lab1.earth.threerings.net 6.1-RELEASE-p6 FreeBSD 6.1-RELEASE-p6 #5: Wed Sep 13 17:45:32 PDT 2006     root at lab1.earth.threerings.net:/usr/obj/usr/src/sys/SMP  i386
The Apache Tomcat Connector versions 1.2.19 and 1.2.20 have a stack buffer overflow vulnerability in the map_uri_to_worker() in the mod_jk.so library, triggered by certain long URLs. This allows for arbitrary remote code execution.

See: http://tomcat.apache.org/security-jk.html
I have not seen any specific exploits.
The attached patch updates the www/mod_jk port to 1.2.21, which should have this vulnerability fixed. It would probably be a good idea to make note of this vulnerability in the VuXML document, as it appears to be rather severe.

Patch attached with submission follows:

diff -urN mod_jk.orig/Makefile mod_jk/Makefile
--- mod_jk.orig/Makefile	Mon Oct  9 09:09:35 2006
+++ mod_jk/Makefile	Mon Mar  5 12:32:48 2007
@@ -6,7 +6,7 @@
 PORTNAME=	mod_jk
diff -urN mod_jk.orig/distinfo mod_jk/distinfo
--- mod_jk.orig/distinfo	Mon Oct  9 09:09:35 2006
+++ mod_jk/distinfo	Mon Mar  5 12:54:14 2007
@@ -1,3 +1,3 @@
-MD5 (tomcat-connectors-1.2.19-src.tar.gz) = 9c3b7135a4992c7f39d5f7aef9c25b30
-SHA256 (tomcat-connectors-1.2.19-src.tar.gz) = 7d75e357c6ff083f5b383d53475a3f14d1f6a45294bf0f2de0a8c552a04746c0
-SIZE (tomcat-connectors-1.2.19-src.tar.gz) = 1246419
+MD5 (tomcat-connectors-1.2.21-src.tar.gz) = ed65157ecbea7d3569de08611aa160eb
+SHA256 (tomcat-connectors-1.2.21-src.tar.gz) = 371908f280eeba38e64dce7bb25a398931c182b9b99976a7bb1196a8ba8b8faa
+SIZE (tomcat-connectors-1.2.21-src.tar.gz) = 1334563


More information about the freebsd-ports-bugs mailing list