Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 780051

Summary: <www-apache/mod_jk-1.2.46 bypass htaccess by adding ';' at the end of an URL (CVE-2018-11759)
Product: Gentoo Security Reporter: Conrad Kostecki <conikost>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11759
Whiteboard: B4 [glsa?]
Package list:
Runtime testing required: No

Description Conrad Kostecki gentoo-dev 2021-04-04 19:08:29 UTC 
The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.
Comment 1 NATTkA bot gentoo-dev Security 2021-04-04 19:12:21 UTC Comment hidden (obsolete)
Comment 2 Larry the Git Cow gentoo-dev 2021-04-04 19:13:14 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c5d0264d6572ce14e70a08bc9478a10838ddd3b3

commit c5d0264d6572ce14e70a08bc9478a10838ddd3b3
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2021-04-04 19:08:53 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2021-04-04 19:12:55 +0000

    www-apache/mod_jk: bump to version 1.2.48
    
    Closes: https://bugs.gentoo.org/778758
    Bug: https://bugs.gentoo.org/780051
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 www-apache/mod_jk/Manifest             |  1 +
 www-apache/mod_jk/mod_jk-1.2.48.ebuild | 68 ++++++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2021-04-04 19:21:13 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2fe9d88f75d60120efe21e4364c343c4b9e6f017

commit 2fe9d88f75d60120efe21e4364c343c4b9e6f017
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2021-04-04 19:20:42 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2021-04-04 19:20:51 +0000

    www-apache/mod_jk: drop old version 1.2.42
    
    Dropping old version, as it contains mulitple open security
    vulnerabilities.
    
    Bug: https://bugs.gentoo.org/780051
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 www-apache/mod_jk/Manifest                    |   1 -
 www-apache/mod_jk/files/88_mod_jk.conf        | 165 --------------------------
 www-apache/mod_jk/files/jk-workers.properties |  36 ------
 www-apache/mod_jk/mod_jk-1.2.42.ebuild        |  60 ----------
 4 files changed, 262 deletions(-)
Comment 4 Conrad Kostecki gentoo-dev 2021-04-04 19:21:34 UTC 
Since old version is dropped, we can wait the usable 30 days for stable.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2021-04-05 19:02:07 UTC 
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2021-04-13 07:36:37 UTC 
amd64 stable.

Maintainer(s), please cleanup.
Comment 7 Conrad Kostecki gentoo-dev 2021-04-13 08:46:07 UTC 
Cleanup is done.
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-13 12:57:58 UTC 
Thanks!
Comment 9 NATTkA bot gentoo-dev Security 2021-07-29 17:23:21 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev Security 2021-07-29 17:31:42 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev Security 2021-07-29 17:39:38 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev Security 2021-07-29 17:47:49 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev Security 2021-07-29 18:03:45 UTC Comment hidden (obsolete)
Comment 14 NATTkA bot gentoo-dev Security 2021-07-29 18:12:03 UTC 
Package list is empty or all packages have requested keywords.