ports/113066: [patch] Security update for www/mod_jk to 1.2.23
Nick Barkas
snb at threerings.net
Sun May 27 20:01:15 UTC 2007
>Number: 113066
>Category: ports
>Synopsis: [patch] Security update for www/mod_jk to 1.2.23
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Sun May 27 20:00:30 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Nick Barkas
>Release: FreeBSD 6.1-RELEASE-p10 i386
>Organization:
Three Rings Design
>Environment:
System: FreeBSD maguro.moduli.net 6.1-RELEASE-p10 FreeBSD 6.1-RELEASE-p10 #0: Fri Dec 1 23:08:05 PST 2006 root at maguro.moduli.net:/usr/obj/usr/src/sys/GENERIC i386
>Description:
This is an update to the port to its latest version, 1.2.23, which has a fix for
possible information disclosure via double encoded paths. See
http://tomcat.apache.org/security-jk.html
>How-To-Repeat:
>Fix:
Here is a patch to update the port, and a patch to update VuXML with the
vulnerability.
--- mod_jk.patch begins here ---
diff -urN mod_jk.orig/Makefile mod_jk/Makefile
--- mod_jk.orig/Makefile Fri May 25 14:49:55 2007
+++ mod_jk/Makefile Fri May 25 14:50:17 2007
@@ -6,7 +6,7 @@
#
PORTNAME= mod_jk
-PORTVERSION= 1.2.21
+PORTVERSION= 1.2.23
PORTREVISION= 0
PORTEPOCH?= 1
CATEGORIES= www
diff -urN mod_jk.orig/distinfo mod_jk/distinfo
--- mod_jk.orig/distinfo Fri May 25 14:49:55 2007
+++ mod_jk/distinfo Fri May 25 14:53:38 2007
@@ -1,3 +1,3 @@
-MD5 (tomcat-connectors-1.2.21-src.tar.gz) = ed65157ecbea7d3569de08611aa160eb
-SHA256 (tomcat-connectors-1.2.21-src.tar.gz) = 371908f280eeba38e64dce7bb25a398931c182b9b99976a7bb1196a8ba8b8faa
-SIZE (tomcat-connectors-1.2.21-src.tar.gz) = 1334563
+MD5 (tomcat-connectors-1.2.23-src.tar.gz) = 4302ff93b5357772444eeed9f843a81e
+SHA256 (tomcat-connectors-1.2.23-src.tar.gz) = 90df61bfc88a54f11aa39a0ba4acc5d7ae52c559f51da810ada0d678e19e3c5a
+SIZE (tomcat-connectors-1.2.23-src.tar.gz) = 1368060
--- mod_jk.patch ends here ---
--- vuln.xml.patch begins here ---
--- vuln.xml.orig Thu May 24 17:37:57 2007
+++ vuln.xml Sun May 27 11:52:03 2007
@@ -34,6 +34,41 @@
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="8d43de9b-0b0b-11dc-a097-0030485949d4">
+ <topic>mod_jk -- Double encoded ".." security bypass</topic>
+ <affects>
+ <package>
+ <name>mod_jk-ap2</name>
+ <name>mod_jk</name>
+ <range><ge>1.2.20</ge><lt>1.2.23</lt></range>
+ <range><ge>1.2.20,1</ge><lt>1.2.23,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <blockquote cite="http://tomcat.apache.org/security-jk.html">
+ <p>The Tomcat developers report:</p>
+ <p>mod_jk before version 1.2.23 by default decoded request URLs inside
+ Apache httpd and forwarded the encoded URL to Tomcat, which itself did a
+ second decoding. This made it possible to pass a prefix JkMount for
+ /someapp, but actually access /otherapp on Tomcat. Starting with version
+ 1.2.23 by default mod_jk forwards the original unchanged request URL to
+ Tomcat. You can achieve the same level of security for older versions by
+ setting the forwarding option "JkOption ForwardURICompatUnparsed".</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2007-1860</cvename>
+ <url>http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1</url>
+ <url>http://tomcat.apache.org/security-jk.html</url>
+ <url>http://secunia.com/advisories/25383</url>
+ </references>
+ <dates>
+ <discovery>2007-05-18</discovery>
+ <entry>2007-05-26</entry>
+ </dates>
+ </vuln>
<vuln vid="de2fab2d-0a37-11dc-aae2-00304881ac9a">
<topic>FreeType 2 -- Heap overflow vulnerability</topic>
<affects>
--- vuln.xml.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list