Summary: | <www-apache/mod_jk-1.2.21 - DoS and remote code execution (CVE-2007-0774) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | andre.hinrichs, wltjr |
Priority: | Highest | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html | ||
Whiteboard: | B2? [glsa] DerCorny | ||
Package list: | Runtime testing required: | --- |
Description
Stefan Behte (RETIRED)
2007-03-05 11:20:54 UTC
arches, please test and stable mod_jk-1.2.21-r1, thanks. wltjr: is 1.2.20-r1 security fixed, too? according to ZDI: Tomcat 4.1.34 and Tomcat 5.5.20 are also vulnerable? Does this affect us? (In reply to comment #0) > > - add an ebuild for 1.2.21 It was added the day it was released. (In reply to comment #2) > according to ZDI: Tomcat 4.1.34 and Tomcat 5.5.20 are also vulnerable? Does > this affect us? We are likely effected by Tomcat 5.5.20. Upstream is about to kick out another version, I believe they are tagging 5.5.24 sometime soon, today maybe. I will see if upstream plans to expedite the release at all. Ok, never mind, reading it further it's referring to vulnerable mod_jk in Tomcat 5.5.20 sources, I believe. So this only effects mod_jk. >> - add an ebuild for 1.2.21
>It was added the day it was released.
Sorry, I didn't have it in portage, maybe synced against a mirror that wasn't up-to-date.
Wouldn't it be useful to release 1.2.19-r2 and 1.2.20-r2 which - after installing - prints out a message that it's insecure? Or mask mask 1.2.19 and 1.2.20?
In my opinion, people should at least know that they install an insecure version.
Sorry, but I don't know what's the common way of handling this.
People do not always see the messages or log files. I will likely p.mask once 1.2.21 is stabilized. I must add a message when I p.mask and that anyone trying to emerge the package will see. >People do not always see the messages or log files. Sure, but adding messages can't harm anyone. >I will likely p.mask once 1.2.21 is stabilized. I must add a message when I >p.mask and that anyone trying to emerge the package will see. Ah, fine! Thanks for the info. :) x86 stable After upgrading mod_jk apache didn't start. Found that mod_jk is responsible because it tries to create a log file in /etc/apache2/log which is a bad location for log files. Error message from apache is [Thu Mar 08 14:04:09 2007] [error] (2)No such file or directory: mod_jk: could not open JkLog file /etc/apache2/log/mod_jk.log In /etc/apache2/modules.d/88_mod_jk.conf I changed the line JkLogFile /etc/apache2/log/mod_jk.log to JkLogFile /var/log/apache2/mod_jk.log After that everything is fine again. Please consider changing the default location for the log file. amd64 stable ready for glsa (In reply to comment #9) > > In /etc/apache2/modules.d/88_mod_jk.conf I changed the line > JkLogFile /etc/apache2/log/mod_jk.log > to > JkLogFile /var/log/apache2/mod_jk.log > > After that everything is fine again. Please consider changing the default > location for the log file. Sorry about that, I corrected the path and just committed to tree. All stable versions gone. New version 1.2.21-r2 is unstable... Mistake??? Yes another one in a series. :( Copied ebuild for revision before I cvs'd up, and when I did the previous version was updated to stable. But my bumped version was not. OOOPPPS. Got rid of other versions due to security issue. Just committed should hit mirrors in a few hours. Very sorry. This has been stabilized and vulnerable versions removed. Closing bug. Reopening this since it shouldn't have been closed. GLSA 200703-16 |