Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 265455 (CVE-2008-5519) - <www-apache/mod_jk-1.2.27: Information disclosure (CVE-2008-5519)
Summary: <www-apache/mod_jk-1.2.27: Information disclosure (CVE-2008-5519)
Status: RESOLVED FIXED
Alias: CVE-2008-5519
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://tomcat.apache.org/security-jk....
Whiteboard: B4 [glsa]
Keywords:
: 265010 (view as bug list)
Depends on: 265010
Blocks:
  Show dependency tree
 
Reported: 2009-04-08 14:40 UTC by Alex Legler (RETIRED)
Modified: 2009-06-29 22:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-08 14:40:04 UTC 
From Mark Thomas <markt@apache.org> via bugtraq:

Vulnerability announcement:
CVE-2008-5519: Apache Tomcat mod_jk information disclosure vulnerability

Versions Affected:
mod_jk 1.2.0 to 1.2.26

Description:
Situations where faulty clients set Content-Length without providing
data, or where a user submits repeated requests very quickly may permit
one user to view the response associated with a different user's request.

Mitigation:
Upgrade to mod_jk 1.2.27 or later
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-08 14:40:55 UTC 
Stabling via bug 265010.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-10 20:28:53 UTC 
CVE-2008-5519 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5519):
  The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat
  allows remote attackers to obtain sensitive information via an
  arbitrary request from an HTTP client, in opportunistic circumstances
  involving (1) a request from a different client that included a
  Content-Length header but no POST data or (2) a rapid series of
  requests, related to noncompliance with the AJP protocol's
  requirements for requests containing Content-Length headers.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-04-16 22:37:38 UTC 
*** Bug 265010 has been marked as a duplicate of this bug. ***
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-04-16 22:38:02 UTC 
Testing guide: http://www.gentoo.org/proj/en/java/getting-involved.xml#doc_chap1
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-04-16 22:38:12 UTC 
Arches, please test and mark stable:
=www-apache/mod_jk-1.2.27
Target keywords : "amd64 ppc x86"
Comment 6 nixnut (RETIRED) gentoo-dev 2009-04-18 08:18:41 UTC 
ppc stable
Comment 7 Markus Meier gentoo-dev 2009-04-18 11:57:36 UTC 
amd64/x86 stable, all arches done.
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-04-18 12:25:06 UTC 
glsa decision, I vote NO.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-12 22:19:37 UTC 
But I vote YES. :P
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2009-06-24 16:46:18 UTC 
YES too, request filed.
Comment 11 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-29 22:44:53 UTC 
GLSA 200906-04