Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 265455 (CVE-2008-5519)

Summary: <www-apache/mod_jk-1.2.27: Information disclosure (CVE-2008-5519)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: java
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://tomcat.apache.org/security-jk.html
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 265010    
Bug Blocks:    

Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-04-08 14:40:04 UTC
From Mark Thomas <markt@apache.org> via bugtraq:

Vulnerability announcement:
CVE-2008-5519: Apache Tomcat mod_jk information disclosure vulnerability

Versions Affected:
mod_jk 1.2.0 to 1.2.26

Description:
Situations where faulty clients set Content-Length without providing
data, or where a user submits repeated requests very quickly may permit
one user to view the response associated with a different user's request.

Mitigation:
Upgrade to mod_jk 1.2.27 or later
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-04-08 14:40:55 UTC
Stabling via bug 265010.
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-04-10 20:28:53 UTC
CVE-2008-5519 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5519):
  The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat
  allows remote attackers to obtain sensitive information via an
  arbitrary request from an HTTP client, in opportunistic circumstances
  involving (1) a request from a different client that included a
  Content-Length header but no POST data or (2) a rapid series of
  requests, related to noncompliance with the AJP protocol's
  requirements for requests containing Content-Length headers.

Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-04-16 22:37:38 UTC
*** Bug 265010 has been marked as a duplicate of this bug. ***
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-04-16 22:38:02 UTC
Testing guide: http://www.gentoo.org/proj/en/java/getting-involved.xml#doc_chap1
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-04-16 22:38:12 UTC
Arches, please test and mark stable:
=www-apache/mod_jk-1.2.27
Target keywords : "amd64 ppc x86"
Comment 6 nixnut (RETIRED) gentoo-dev 2009-04-18 08:18:41 UTC
ppc stable
Comment 7 Markus Meier gentoo-dev 2009-04-18 11:57:36 UTC
amd64/x86 stable, all arches done.
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-04-18 12:25:06 UTC
glsa decision, I vote NO.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-12 22:19:37 UTC
But I vote YES. :P
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2009-06-24 16:46:18 UTC
YES too, request filed.
Comment 11 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-06-29 22:44:53 UTC
GLSA 200906-04