Your message dated Sat, 15 Mar 2025 09:44:44 +0000
with message-id <e1tto4s-005kjx...@coccia.debian.org>
and subject line Close 1095523
has caused the Debian Bug report #1095523,
regarding bookworm-pu: package libapache-mod-jk/1:1.2.48-2+deb12u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1095523: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095523
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libapache-mod...@packages.debian.org, a...@debian.org
Control: affects -1 + src:libapache-mod-jk
[ Reason ]
Fixing CVE-2024-46544 in bookworm via bookworm-pu. Marked as no-dsa by
the security team.
[ Impact ]
bookworm would be the only vulnerable release
[ Tests ]
The fix only involves to change permissions. No automatic tests were
added.
[ Risks ]
This has been fixed in bullseye for some time and no regressions were
reported. The changes are minimal.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Adding 0004-CVE-2024-46544.patch to change the default permissions.
Debdiff is attached.
diff -Nru libapache-mod-jk-1.2.48/debian/changelog
libapache-mod-jk-1.2.48/debian/changelog
--- libapache-mod-jk-1.2.48/debian/changelog 2023-09-24 16:40:59.000000000
+0200
+++ libapache-mod-jk-1.2.48/debian/changelog 2025-02-08 21:24:47.000000000
+0100
@@ -1,3 +1,13 @@
+libapache-mod-jk (1:1.2.48-2+deb12u2) bookworm; urgency=medium
+
+ * Fix CVE-2024-46544:
+ An issue with incorrect default permissions could have allowed local users
+ to view and modify shared memory containing mod_jk's configuration, which
+ may have potentially led to information disclosure and/or a denial of
+ service attack. (Closes: #1082713)
+
+ -- Markus Koschany <a...@debian.org> Sat, 08 Feb 2025 21:24:47 +0100
+
libapache-mod-jk (1:1.2.48-2+deb12u1) bookworm; urgency=high
* Fix CVE-2023-41081:
diff -Nru libapache-mod-jk-1.2.48/debian/patches/0004-CVE-2024-46544.patch
libapache-mod-jk-1.2.48/debian/patches/0004-CVE-2024-46544.patch
--- libapache-mod-jk-1.2.48/debian/patches/0004-CVE-2024-46544.patch
1970-01-01 01:00:00.000000000 +0100
+++ libapache-mod-jk-1.2.48/debian/patches/0004-CVE-2024-46544.patch
2025-02-08 21:24:47.000000000 +0100
@@ -0,0 +1,71 @@
+From: Rainer Jung <rainer.j...@kippdata.de>
+Date: Thu, 8 Aug 2024 10:00:13 +0200
+Subject: [PATCH] Improve shared memory handling on non-Windows.
+
+---
+ native/common/jk_shm.c | 12 ++++++------
+ xdocs/miscellaneous/changelog.xml | 3 +++
+ 2 files changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/native/common/jk_shm.c b/native/common/jk_shm.c
+index 58956dc..65d9f62 100644
+--- a/native/common/jk_shm.c
++++ b/native/common/jk_shm.c
+@@ -459,7 +459,7 @@ static int do_shm_open_lock(const char *fname, int
attached, jk_logger_t *l)
+
+ if (attached && jk_shmem.lockname) {
+ #ifdef JK_SHM_LOCK_REOPEN
+- jk_shmem.fd_lock = open(jk_shmem.lockname, O_RDWR, 0666);
++ jk_shmem.fd_lock = open(jk_shmem.lockname, O_RDWR, 0600);
+ #else
+ errno = EINVAL;
+ #endif
+@@ -483,7 +483,7 @@ static int do_shm_open_lock(const char *fname, int
attached, jk_logger_t *l)
+ for (i = 0; i < 8; i++) {
+ strcpy(flkname, "/tmp/jkshmlock.XXXXXX");
+ if (mktemp(flkname)) {
+- jk_shmem.fd_lock = open(flkname, O_RDWR|O_CREAT|O_TRUNC,
0666);
++ jk_shmem.fd_lock = open(flkname, O_RDWR|O_CREAT|O_TRUNC,
0600);
+ if (jk_shmem.fd_lock >= 0)
+ break;
+ }
+@@ -495,10 +495,10 @@ static int do_shm_open_lock(const char *fname, int
attached, jk_logger_t *l)
+ #ifdef AS400_UTF8
+ wptr = (char *)malloc(strlen(flkname) + 1);
+ jk_ascii2ebcdic((char *)flkname, wptr);
+- jk_shmem.fd_lock = open(wptr, O_RDWR|O_CREAT|O_TRUNC, 0666);
++ jk_shmem.fd_lock = open(wptr, O_RDWR|O_CREAT|O_TRUNC, 0600);
+ free(wptr);
+ #else
+- jk_shmem.fd_lock = open(flkname, O_RDWR|O_CREAT|O_TRUNC, 0666);
++ jk_shmem.fd_lock = open(flkname, O_RDWR|O_CREAT|O_TRUNC, 0600);
+ #endif
+ #endif
+ if (jk_shmem.fd_lock == -1) {
+@@ -589,10 +589,10 @@ static int do_shm_open(const char *fname, int attached,
+ #ifdef AS400_UTF8
+ wptr = (char *)malloc(strlen(jk_shmem.filename) + 1);
+ jk_ascii2ebcdic((char *)jk_shmem.filename, wptr);
+- fd = open(wptr, O_RDWR|O_CREAT|O_TRUNC, 0666);
++ fd = open(wptr, O_RDWR|O_CREAT|O_TRUNC, 0600);
+ free(wptr);
+ #else
+- fd = open(jk_shmem.filename, O_RDWR|O_CREAT|O_TRUNC, 0666);
++ fd = open(jk_shmem.filename, O_RDWR|O_CREAT|O_TRUNC, 0600);
+ #endif
+ if (fd == -1) {
+ jk_shmem.size = 0;
+diff --git a/xdocs/miscellaneous/changelog.xml
b/xdocs/miscellaneous/changelog.xml
+index bb5a8ac..224bb18 100644
+--- a/xdocs/miscellaneous/changelog.xml
++++ b/xdocs/miscellaneous/changelog.xml
+@@ -91,6 +91,9 @@
+ socket_connect_timeout to be interpreted in units of seconds
+ instead of milliseconds on platforms that provide poll(). (rjung)
+ </fix>
++ <fix>
++ Improve shared memory handling on non-Windows. (rjung)
++ </fix>
+ </changelog>
+ </subsection>
+ </section>
diff -Nru libapache-mod-jk-1.2.48/debian/patches/series
libapache-mod-jk-1.2.48/debian/patches/series
--- libapache-mod-jk-1.2.48/debian/patches/series 2023-09-24
16:40:59.000000000 +0200
+++ libapache-mod-jk-1.2.48/debian/patches/series 2025-02-08
21:24:47.000000000 +0100
@@ -1,3 +1,4 @@
0002-debianize-log-directory.patch
0003-upgrade-info-to-error-message.patch
CVE-2023-41081.patch
+0004-CVE-2024-46544.patch
--- End Message ---
--- Begin Message ---
Version: 12.10
This update has been released as part of 12.10. Thank you for your contribution.
--- End Message ---
