I am going to upload a NMU for this issue. Patch attached.
diff -u libapache-mod-jk-1.2.26/debian/changelog libapache-mod-jk-1.2.26/debian/changelog --- libapache-mod-jk-1.2.26/debian/changelog +++ libapache-mod-jk-1.2.26/debian/changelog @@ -1,3 +1,11 @@ +libapache-mod-jk (1:1.2.26-2.1) unstable; urgency=high + + * Non-maintainer upload by the security-team. + * CVE-2008-5519: Fix information disclosure vulnerability when clients + abort connection before sending POST body (closes: #523054). + + -- Stefan Fritsch <s...@debian.org> Sat, 30 May 2009 15:49:20 +0200 + libapache-mod-jk (1:1.2.26-2) unstable; urgency=low * Apply patch to fix JkOptions handling for virtual hosts. Thanks to diff -u libapache-mod-jk-1.2.26/debian/patches/00list libapache-mod-jk-1.2.26/debian/patches/00list --- libapache-mod-jk-1.2.26/debian/patches/00list +++ libapache-mod-jk-1.2.26/debian/patches/00list @@ -4,0 +5 @@ +06_CVE-2008-5519.dpatch only in patch2: unchanged: --- libapache-mod-jk-1.2.26.orig/debian/patches/06_CVE-2008-5519.dpatch +++ libapache-mod-jk-1.2.26/debian/patches/06_CVE-2008-5519.dpatch @@ -0,0 +1,23 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: http://svn.apache.org:80/viewvc?view=rev&revision=702540 + +...@dpatch@ +--- jk/native/common/jk_ajp_common.c (Revision 702539) ++++ jk/native/common/jk_ajp_common.c (Revision 702540) +@@ -1588,6 +1588,14 @@ + if ((len = ajp_read_into_msg_buff(ae, s, op->post, len, l)) < 0) { + /* the browser stop sending data, no need to recover */ + op->recoverable = JK_FALSE; ++ /* Send an empty POST message since per AJP protocol ++ * spec whenever we have content lenght the message ++ * packet must be followed with initial POST packet. ++ * Size zero will be handled as error in container. ++ */ ++ jk_b_reset(op->post); ++ jk_b_append_int(op->post, 0); ++ ajp_connection_tcp_send_message(ae, op->post, l); + JK_TRACE_EXIT(l); + return JK_CLIENT_RD_ERROR; + }
