Your message dated Sat, 27 Jun 2009 16:04:31 +0000
with message-id <e1mkaof-00013k...@ries.debian.org>
and subject line Bug#523054: fixed in libapache-mod-jk 1:1.2.26-2+lenny1
has caused the Debian Bug report #523054,
regarding libapache2-mod-jk: [SECURITY] CVE-2008-5519: Apache Tomcat mod_jk
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
523054: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523054
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libapache2-mod-jk
Version: 1:1.2.26-2
Severity: grave
Tags: security
Justification: user security hole
The Apache Tomcat Security Team has released the following advisory :
Vulnerability announcement:
CVE-2008-5519: Apache Tomcat mod_jk information disclosure vulnerability
Severity: important
Vendor: The Apache Software Foundation
Versions Affected:
mod_jk 1.2.0 to 1.2.26
Description:
Situations where faulty clients set Content-Length without providing
data, or where a user submits repeated requests very quickly may permit
one user to view the response associated with a different user's request.
Mitigation:
Upgrade to mod_jk 1.2.27 or later
Example:
See description
Credit:
This issue was discovered by the Red Hat Security Response Team
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-jk.html
--
Damien Raude-Morvan
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: libapache-mod-jk
Source-Version: 1:1.2.26-2+lenny1
We believe that the bug you reported is fixed in the latest version of
libapache-mod-jk, which is due to be installed in the Debian FTP archive:
libapache-mod-jk-doc_1.2.26-2+lenny1_all.deb
to
pool/main/liba/libapache-mod-jk/libapache-mod-jk-doc_1.2.26-2+lenny1_all.deb
libapache-mod-jk_1.2.26-2+lenny1.diff.gz
to pool/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.26-2+lenny1.diff.gz
libapache-mod-jk_1.2.26-2+lenny1.dsc
to pool/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.26-2+lenny1.dsc
libapache2-mod-jk_1.2.26-2+lenny1_i386.deb
to pool/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 523...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <s...@debian.org> (supplier of updated libapache-mod-jk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 31 May 2009 20:33:52 +0200
Source: libapache-mod-jk
Binary: libapache2-mod-jk libapache-mod-jk-doc
Architecture: source i386 all
Version: 1:1.2.26-2+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Stefan Fritsch <s...@debian.org>
Description:
libapache-mod-jk-doc - Documentation of libapache2-mod-jk package
libapache2-mod-jk - Apache 2 connector for the Tomcat Java servlet engine
Closes: 523054
Changes:
libapache-mod-jk (1:1.2.26-2+lenny1) stable-security; urgency=high
.
* Non-maintainer upload by the security-team.
* CVE-2008-5519: Fix information disclosure vulnerability when clients
abort connection before sending POST body (closes: #523054).
Checksums-Sha1:
a13a270b5dc2af1382b3fe30fa3452706984a195 1336
libapache-mod-jk_1.2.26-2+lenny1.dsc
e0eacd0c86b25b4f97181b77c73865143a93124f 12187
libapache-mod-jk_1.2.26-2+lenny1.diff.gz
c4a1bef1c13d6253c2c3f6d86aebe0b1f288e0e0 109874
libapache2-mod-jk_1.2.26-2+lenny1_i386.deb
de0d7a8b1bc59a9c08d153d90dbd11662ac04448 169998
libapache-mod-jk-doc_1.2.26-2+lenny1_all.deb
08d577fd517283182bf1ef491ab31ed1fe5fa0fe 1442605
libapache-mod-jk_1.2.26.orig.tar.gz
Checksums-Sha256:
22145f0736fe73f22ed8a5611f417d82dccdf3e7e8ca4ded2330983b42da387f 1336
libapache-mod-jk_1.2.26-2+lenny1.dsc
a5a555170c1539983e1a8e73f421606815af67916ea98f73eff77dbf321b96ab 12187
libapache-mod-jk_1.2.26-2+lenny1.diff.gz
2bb9e40b30f42f8202486812f73123637632a25ae8351d2ee1eee1b94d69a80f 109874
libapache2-mod-jk_1.2.26-2+lenny1_i386.deb
803637f7c7ac6c7bd6eaa4aeb9ec455b50d1bfe169bd899ad4f95d6a862df574 169998
libapache-mod-jk-doc_1.2.26-2+lenny1_all.deb
75c2ef701622394536be2e0a2e5cf38330e8bb1078d683a733769a8c49a5381a 1442605
libapache-mod-jk_1.2.26.orig.tar.gz
Files:
7070da05cbe8200e7d92dbfe9228ab0e 1336 web optional
libapache-mod-jk_1.2.26-2+lenny1.dsc
8b6e6b0abd76bae90c99c50ab1fee027 12187 web optional
libapache-mod-jk_1.2.26-2+lenny1.diff.gz
bf54bb8f3489715932e5a07739a63dc4 109874 web optional
libapache2-mod-jk_1.2.26-2+lenny1_i386.deb
d31f4efe7b78e94bf1c7cffabce17c6b 169998 doc optional
libapache-mod-jk-doc_1.2.26-2+lenny1_all.deb
feaec245136bc4d99a9dde95a00ea93c 1442605 web optional
libapache-mod-jk_1.2.26.orig.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKIuT1bxelr8HyTqQRAjQCAJ9YZjFlq8QLidjlI3f3JxDM5l9YpACg0lrf
KH83Gor8WxQVmRgfTBKokHo=
=syoX
-----END PGP SIGNATURE-----
--- End Message ---
