780051 – <www-apache/mod_jk-1.2.46 bypass htaccess by adding ';' at the end of an URL (CVE-2018-11759)

Bug 780051 - <www-apache/mod_jk-1.2.46 bypass htaccess by adding ';' at the end of an URL (CVE-2018-11759)

Summary: <www-apache/mod_jk-1.2.46 bypass htaccess by adding ';' at the end of an URL ...

Status:	IN_PROGRESS

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	http://cve.mitre.org/cgi-bin/cvename....
Whiteboard:	B4 [glsa?]
Keywords:

Depends on:
Blocks:

Reported:	2021-04-04 19:08 UTC by Conrad Kostecki
Modified:	2021-07-29 18:12 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	No

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Conrad Kostecki gentoo-dev

2021-04-04 19:08:29 UTC

The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.

Comment 1 NATTkA bot gentoo-dev

2021-04-04 19:12:21 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: www-apache/mod_jk-1.2.48

Comment 2 Larry the Git Cow gentoo-dev

2021-04-04 19:13:14 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c5d0264d6572ce14e70a08bc9478a10838ddd3b3

commit c5d0264d6572ce14e70a08bc9478a10838ddd3b3
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2021-04-04 19:08:53 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2021-04-04 19:12:55 +0000

    www-apache/mod_jk: bump to version 1.2.48
    
    Closes: https://bugs.gentoo.org/778758
    Bug: https://bugs.gentoo.org/780051
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 www-apache/mod_jk/Manifest             |  1 +
 www-apache/mod_jk/mod_jk-1.2.48.ebuild | 68 ++++++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+)

Comment 3 Larry the Git Cow gentoo-dev

2021-04-04 19:21:13 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2fe9d88f75d60120efe21e4364c343c4b9e6f017

commit 2fe9d88f75d60120efe21e4364c343c4b9e6f017
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2021-04-04 19:20:42 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2021-04-04 19:20:51 +0000

    www-apache/mod_jk: drop old version 1.2.42
    
    Dropping old version, as it contains mulitple open security
    vulnerabilities.
    
    Bug: https://bugs.gentoo.org/780051
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 www-apache/mod_jk/Manifest                    |   1 -
 www-apache/mod_jk/files/88_mod_jk.conf        | 165 --------------------------
 www-apache/mod_jk/files/jk-workers.properties |  36 ------
 www-apache/mod_jk/mod_jk-1.2.42.ebuild        |  60 ----------
 4 files changed, 262 deletions(-)

Comment 4 Conrad Kostecki gentoo-dev

2021-04-04 19:21:34 UTC

Since old version is dropped, we can wait the usable 30 days for stable.

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2021-04-05 19:02:07 UTC

x86 stable

Comment 6 Agostino Sarubbo gentoo-dev

2021-04-13 07:36:37 UTC

amd64 stable.

Maintainer(s), please cleanup.

Comment 7 Conrad Kostecki gentoo-dev

2021-04-13 08:46:07 UTC

Cleanup is done.

Comment 8 John Helmert III archtester

2021-04-13 12:57:58 UTC

Thanks!

Comment 9 NATTkA bot gentoo-dev

2021-07-29 17:23:21 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 10 NATTkA bot gentoo-dev

2021-07-29 17:31:42 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 11 NATTkA bot gentoo-dev

2021-07-29 17:39:38 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 12 NATTkA bot gentoo-dev

2021-07-29 17:47:49 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 13 NATTkA bot gentoo-dev

2021-07-29 18:03:45 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 14 NATTkA bot gentoo-dev

2021-07-29 18:12:03 UTC

Package list is empty or all packages have requested keywords.