Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 186218

Summary: www-apache/mod_jk < 1.2.23 URL crafted prefix issue (CVE-2007-1860)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: apache-bugs, java, wltjr
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-07-22 12:26:16 UTC 
mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-22 14:01:06 UTC 
version 1.2.23 is already in the tree but unstable, are we ready to call arches for stabilisation? William, please advise.
Comment 2 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-07-22 16:31:45 UTC 
Yes we should be good to go for stabilization. Sorry I had not requested it sooner, kinda been tied up with other things. CC'ing archs now for stabilization of 1.2.23.
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2007-07-25 09:21:19 UTC 
x86 stable
Comment 4 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-07-25 15:05:05 UTC 
amd64 stable
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2007-07-27 21:04:13 UTC 
ppc stable, ready for glsa-voting. on a side-note: debian and red hat released advisories.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-07-28 07:42:11 UTC 
I vote YES.
Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-29 22:07:08 UTC 
voting yes too, let's have a GLSA on this one.
Comment 8 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-08-19 23:01:20 UTC 
GLSA 200708-15, thanks everybody