From Mark Thomas <markt@apache.org> via bugtraq: Vulnerability announcement: CVE-2008-5519: Apache Tomcat mod_jk information disclosure vulnerability Versions Affected: mod_jk 1.2.0 to 1.2.26 Description: Situations where faulty clients set Content-Length without providing data, or where a user submits repeated requests very quickly may permit one user to view the response associated with a different user's request. Mitigation: Upgrade to mod_jk 1.2.27 or later
Stabling via bug 265010.
CVE-2008-5519 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5519): The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an HTTP client, in opportunistic circumstances involving (1) a request from a different client that included a Content-Length header but no POST data or (2) a rapid series of requests, related to noncompliance with the AJP protocol's requirements for requests containing Content-Length headers.
*** Bug 265010 has been marked as a duplicate of this bug. ***
Testing guide: http://www.gentoo.org/proj/en/java/getting-involved.xml#doc_chap1
Arches, please test and mark stable: =www-apache/mod_jk-1.2.27 Target keywords : "amd64 ppc x86"
ppc stable
amd64/x86 stable, all arches done.
glsa decision, I vote NO.
But I vote YES. :P
YES too, request filed.
GLSA 200906-04