Source: libapache-mod-jk Version: 1:1.2.48-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for libapache-mod-jk. CVE-2023-41081[0]: | The mod_jk component of Apache Tomcat Connectors in some | circumstances, such as when a configuration included "JkOptions | +ForwardDirectories" but the configuration did not provide | explicit mounts for all possible proxied requests, mod_jk would | use an implicit mapping and map the request to the first defined | worker. Such an implicit mapping could result in the unintended | exposure of the status worker and/or bypass security constraints | configured in httpd. As of JK 1.2.49, the implicit mapping | functionality has been removed and all mappings must now be via | explicit configuration. Only mod_jk is affected by this issue. The | ISAPI redirector is not affected. This issue affects Apache Tomcat | Connectors (mod_jk only): from 1.2.0 through 1.2.48. Users are | recommended to upgrade to version 1.2.49, which fixes the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-41081 https://www.cve.org/CVERecord?id=CVE-2023-41081 [1] https://lists.apache.org/thread/rd1r26w7271jyqgzr4492tooyt583d8b [2] http://www.openwall.com/lists/oss-security/2023/09/13/2 [3] https://tomcat.apache.org/security-jk.html#Fixed_in_Apache_Tomcat_JK_Connector_1.2.49 Please adjust the affected versions in the BTS as needed. Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.