Control: tags -1 pending Hi,
I have prepared a new upstream release of libapache-mod-jk which fixes RC bug #783233, better known as CVE-2014-8111. I would be glad if someone reviewed the package and uploaded it to unstable. https://security-tracker.debian.org/tracker/source-package/libapache-mod-jk https://anonscm.debian.org/viewvc/pkg-java/trunk/libapache-mod-jk/ Version 1.2.41 hasn't been released yet, so I prepared a SVN snapshot. "It was discovered that a JkUnmount rule for a subtree of a previous JkMount rule could be ignored. This could allow a remote attacker to potentially access a private artifact in a tree that would otherwise not be accessible to them." The new version adds new JkOptions to the apache2 module mod_jk and disables the unsafe handling of adjacent slashes by default now. The changes can be adjusted in /etc/apache2/mods-available/jk.conf. The patch for fixing this bug is available here: https://svn.apache.org/viewvc?view=revision&revision=1647017 I intend to prepare further uploads for jessie, wheezy and squeeze, if possible. Changelog: * Team upload. * Imported Upstream SVN snapshot version 1.2.40+svn150520. - Fix CVE-2014-8111: (Closes: #783233) Apache Tomcat Connectors (mod_jk) ignored JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified vectors. * debian/control: Build-Depend on debhelper >= 9. * Remove source.lintian-overrides since we now build-depend on debhelper >=9. * Drop 0004-corrupted-worker-activation-status.patch. Fixed upstream. * debian/rules: - Disable sed command in debian/rules. Apparently not necessary for this release. - Run buildconf.sh before dh_auto_configure step since this is a requirement for building SVN snapshots. - Update dh_auto_clean override. Ensure that the package can be built twice in a row. * debian/control: - Add autoconf to Build-Depends. - Add automake to Build-Depends. - Remove Conflicts and Replaces fields because they are obsolete. * Add disable-libtool-check.patch and fix a FTBFS. We already build-depend on libtool but the script is not smart enough. * Add fix-privacy-breach.patch and fix lintian errors about "privacy breach logo". * Update debian/copyright information. Add missing BSD-3-clause license. * Add README.source. Regards, Markus
signature.asc
Description: OpenPGP digital signature
