http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html http://www.zerodayinitiative.com/advisories/ZDI-07-008.html - someone please mask 1.2.19 and 1.2.20! - add an ebuild for 1.2.21
arches, please test and stable mod_jk-1.2.21-r1, thanks. wltjr: is 1.2.20-r1 security fixed, too?
according to ZDI: Tomcat 4.1.34 and Tomcat 5.5.20 are also vulnerable? Does this affect us?
(In reply to comment #0) > > - add an ebuild for 1.2.21 It was added the day it was released. (In reply to comment #2) > according to ZDI: Tomcat 4.1.34 and Tomcat 5.5.20 are also vulnerable? Does > this affect us? We are likely effected by Tomcat 5.5.20. Upstream is about to kick out another version, I believe they are tagging 5.5.24 sometime soon, today maybe. I will see if upstream plans to expedite the release at all.
Ok, never mind, reading it further it's referring to vulnerable mod_jk in Tomcat 5.5.20 sources, I believe. So this only effects mod_jk.
>> - add an ebuild for 1.2.21 >It was added the day it was released. Sorry, I didn't have it in portage, maybe synced against a mirror that wasn't up-to-date. Wouldn't it be useful to release 1.2.19-r2 and 1.2.20-r2 which - after installing - prints out a message that it's insecure? Or mask mask 1.2.19 and 1.2.20? In my opinion, people should at least know that they install an insecure version. Sorry, but I don't know what's the common way of handling this.
People do not always see the messages or log files. I will likely p.mask once 1.2.21 is stabilized. I must add a message when I p.mask and that anyone trying to emerge the package will see.
>People do not always see the messages or log files. Sure, but adding messages can't harm anyone. >I will likely p.mask once 1.2.21 is stabilized. I must add a message when I >p.mask and that anyone trying to emerge the package will see. Ah, fine! Thanks for the info. :)
x86 stable
After upgrading mod_jk apache didn't start. Found that mod_jk is responsible because it tries to create a log file in /etc/apache2/log which is a bad location for log files. Error message from apache is [Thu Mar 08 14:04:09 2007] [error] (2)No such file or directory: mod_jk: could not open JkLog file /etc/apache2/log/mod_jk.log In /etc/apache2/modules.d/88_mod_jk.conf I changed the line JkLogFile /etc/apache2/log/mod_jk.log to JkLogFile /var/log/apache2/mod_jk.log After that everything is fine again. Please consider changing the default location for the log file.
amd64 stable
ready for glsa
(In reply to comment #9) > > In /etc/apache2/modules.d/88_mod_jk.conf I changed the line > JkLogFile /etc/apache2/log/mod_jk.log > to > JkLogFile /var/log/apache2/mod_jk.log > > After that everything is fine again. Please consider changing the default > location for the log file. Sorry about that, I corrected the path and just committed to tree.
All stable versions gone. New version 1.2.21-r2 is unstable... Mistake???
Yes another one in a series. :( Copied ebuild for revision before I cvs'd up, and when I did the previous version was updated to stable. But my bumped version was not. OOOPPPS. Got rid of other versions due to security issue. Just committed should hit mirrors in a few hours. Very sorry.
This has been stabilized and vulnerable versions removed. Closing bug.
Reopening this since it shouldn't have been closed.
GLSA 200703-16
