Author: markt
Date: Sun Jul 26 16:37:31 2015
New Revision: 1692731
URL: http://svn.apache.org/r1692731
Log:
Add CVE-2014-8111
Modified:
tomcat/site/trunk/docs/security-jk.html
tomcat/site/trunk/xdocs/security-jk.xml
Modified: tomcat/site/trunk/docs/security-jk.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-jk.html?rev=1692731&r1=1692730&r2=1692731&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-jk.html (original)
+++ tomcat/site/trunk/docs/security-jk.html Sun Jul 26 16:37:31 2015
@@ -203,6 +203,9 @@
<a href="#Apache_Tomcat_JK_Connectors_vulnerabilities">Apache Tomcat JK
Connectors vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.41_(not_yet_released)">Fixed
in Apache Tomcat JK Connector 1.2.41 (not yet released)</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.27">Fixed in Apache Tomcat
JK Connector 1.2.27</a>
</li>
<li>
@@ -236,6 +239,40 @@
</div>
+<h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.41_(not_yet_released)">Fixed
in Apache Tomcat JK Connector 1.2.41 (not yet released)</h3>
+<div class="text">
+
+
+<p>
+<strong>Important: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8111";
rel="nofollow">CVE-2014-8111</a>
+</p>
+
+
+<p>Multiple adjacent slashes in a request URI were not collapsed to a single
+ slash before comparing the request URI to the configured mount and
+ unmount patterns. It is therefore possible for an attacker to use a
+ request URI containing multiple adjacent slashes to bypass the
+ restrictions of a <code>JkUnmount</code> directive. This may expose
+ application functionality through the reverse proxy that is not intended
+ for clients accessing the application via the reverse proxy.</p>
+
+
+<p>As of mod_jk 1.2.41, slashes are collapsed by default. The behaviour is
+ now configurable via a new <code>JkOption</code> for httpd (values
+ <code>CollapseSlashesAll</code>, <code>CollapseSlashesNone</code> or
+ <code>CollapseSlashesUnmount</code>) and via a new property
+ <code>collapse_slashes</code> for IIS (values <code>all</code>,
+ <code>none</code>, <code>unmount</code>).</p>
+
+
+<p>This was fixed in <a
href="http://svn.apache.org/viewvc?view=rev&rev=1647017";>revision
1647017</a>.</p>
+
+
+<p>Affects: JK 1.2.0-1.2.40</p>
+
+
+</div>
<h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.27">Fixed in Apache Tomcat JK
Connector 1.2.27</h3>
<div class="text">
Modified: tomcat/site/trunk/xdocs/security-jk.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-jk.xml?rev=1692731&r1=1692730&r2=1692731&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-jk.xml (original)
+++ tomcat/site/trunk/xdocs/security-jk.xml Sun Jul 26 16:37:31 2015
@@ -28,6 +28,32 @@
</section>
+ <section name="Fixed in Apache Tomcat JK Connector 1.2.41 (not yet
released)">
+
+ <p><strong>Important: Information disclosure</strong>
+ <cve>CVE-2014-8111</cve></p>
+
+ <p>Multiple adjacent slashes in a request URI were not collapsed to a
single
+ slash before comparing the request URI to the configured mount and
+ unmount patterns. It is therefore possible for an attacker to use a
+ request URI containing multiple adjacent slashes to bypass the
+ restrictions of a <code>JkUnmount</code> directive. This may expose
+ application functionality through the reverse proxy that is not intended
+ for clients accessing the application via the reverse proxy.</p>
+
+ <p>As of mod_jk 1.2.41, slashes are collapsed by default. The behaviour is
+ now configurable via a new <code>JkOption</code> for httpd (values
+ <code>CollapseSlashesAll</code>, <code>CollapseSlashesNone</code> or
+ <code>CollapseSlashesUnmount</code>) and via a new property
+ <code>collapse_slashes</code> for IIS (values <code>all</code>,
+ <code>none</code>, <code>unmount</code>).</p>
+
+ <p>This was fixed in <revlink rev="1647017">revision 1647017</revlink>.</p>
+
+ <p>Affects: JK 1.2.0-1.2.40</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat JK Connector 1.2.27">
<p><strong>Important: Information disclosure</strong>
<cve>CVE-2008-5519</cve></p>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
