Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: a...@debian.org
[ Reason ] Fixing CVE-2023-41081 in Bookworm. Unintended exposure of the status worker and/or bypass security constraints configured in httpd by using implicit mapping. [ Tests ] Implicit mapping no longer works with this update and users must explicitly configure it. Otherwise an error message is logged now which means the update works as intended. [ Risks ] Users who unintentionally relied on the implicit mapping functionality will have to update their configuration but this is intended and needed to avoid the bypass of other security constraints. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Regards, Markus
diff -Nru libapache-mod-jk-1.2.48/debian/changelog libapache-mod-jk-1.2.48/debian/changelog --- libapache-mod-jk-1.2.48/debian/changelog 2023-02-18 19:17:18.000000000 +0100 +++ libapache-mod-jk-1.2.48/debian/changelog 2023-09-24 16:40:59.000000000 +0200 @@ -1,3 +1,20 @@ +libapache-mod-jk (1:1.2.48-2+deb12u1) bookworm; urgency=high + + * Fix CVE-2023-41081: + The mod_jk component of Apache Tomcat Connectors, an Apache 2 module to + forward requests from Apache to Tomcat, in some circumstances, such as when + a configuration included "JkOptions +ForwardDirectories" but the + configuration did not provide explicit mounts for all possible proxied + requests, mod_jk would use an implicit mapping and map the request to the + first defined worker. Such an implicit mapping could result in the + unintended exposure of the status worker and/or bypass security constraints + configured in httpd. As of this security update, the implicit mapping + functionality has been removed and all mappings must now be via explicit + configuration. This issue affects Apache Tomcat Connectors (mod_jk only). + (Closes: #1051956) + + -- Markus Koschany <a...@debian.org> Sun, 24 Sep 2023 16:40:59 +0200 + libapache-mod-jk (1:1.2.48-2) unstable; urgency=medium * Declare compliance with Debian Policy 4.6.2. diff -Nru libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch --- libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch 1970-01-01 01:00:00.000000000 +0100 +++ libapache-mod-jk-1.2.48/debian/patches/CVE-2023-41081.patch 2023-09-24 16:40:59.000000000 +0200 @@ -0,0 +1,47 @@ +From: Markus Koschany <a...@debian.org> +Date: Sun, 24 Sep 2023 16:39:43 +0200 +Subject: CVE-2023-41081 + +Bug-Debian: https://bugs.debian.org/1051956 +Origin: https://github.com/apache/tomcat-connectors/commit/0095b6cb84f41313ee4c0364b49c766168790792 +--- + native/apache-2.0/mod_jk.c | 19 ------------------- + 1 file changed, 19 deletions(-) + +diff --git a/native/apache-2.0/mod_jk.c b/native/apache-2.0/mod_jk.c +index b755116..d9345d7 100644 +--- a/native/apache-2.0/mod_jk.c ++++ b/native/apache-2.0/mod_jk.c +@@ -2767,17 +2767,6 @@ static int jk_handler(request_rec * r) + rconf->rule_extensions = e; + } + } +- else if (worker_env.num_of_workers == 1) { +- /** We have a single worker ( the common case ). +- ( lb is a bit special, it should count as a single worker but +- I'm not sure how ). We also have a manual config directive that +- explicitly give control to us. */ +- worker_name = worker_env.worker_list[0]; +- if (JK_IS_DEBUG_LEVEL(xconf->log)) +- jk_log(xconf->log, JK_LOG_DEBUG, +- "Single worker (%s) configuration for %s", +- worker_name, r->uri); +- } + else { + if (!xconf->uw_map) { + if (JK_IS_DEBUG_LEVEL(xconf->log)) +@@ -2804,14 +2793,6 @@ static int jk_handler(request_rec * r) + r->uri = clean_uri; + } + } +- +- if (worker_name == NULL && worker_env.num_of_workers) { +- worker_name = worker_env.worker_list[0]; +- if (JK_IS_DEBUG_LEVEL(xconf->log)) +- jk_log(xconf->log, JK_LOG_DEBUG, +- "Using first worker (%s) from %d workers for %s", +- worker_name, worker_env.num_of_workers, r->uri); +- } + } + if (worker_name) + apr_table_setn(r->notes, JK_NOTE_WORKER_NAME, worker_name); diff -Nru libapache-mod-jk-1.2.48/debian/patches/series libapache-mod-jk-1.2.48/debian/patches/series --- libapache-mod-jk-1.2.48/debian/patches/series 2023-02-18 19:17:18.000000000 +0100 +++ libapache-mod-jk-1.2.48/debian/patches/series 2023-09-24 16:40:59.000000000 +0200 @@ -1,2 +1,3 @@ 0002-debianize-log-directory.patch 0003-upgrade-info-to-error-message.patch +CVE-2023-41081.patch
