- someone please mask 1.2.19 and 1.2.20!
- add an ebuild for 1.2.21
arches, please test and stable mod_jk-1.2.21-r1, thanks.
wltjr: is 1.2.20-r1 security fixed, too?
according to ZDI: Tomcat 4.1.34 and Tomcat 5.5.20 are also vulnerable? Does this affect us?
(In reply to comment #0)
> - add an ebuild for 1.2.21
It was added the day it was released.
(In reply to comment #2)
> according to ZDI: Tomcat 4.1.34 and Tomcat 5.5.20 are also vulnerable? Does
> this affect us?
We are likely effected by Tomcat 5.5.20. Upstream is about to kick out another version, I believe they are tagging 5.5.24 sometime soon, today maybe. I will see if upstream plans to expedite the release at all.
Ok, never mind, reading it further it's referring to vulnerable mod_jk in Tomcat 5.5.20 sources, I believe. So this only effects mod_jk.
>> - add an ebuild for 1.2.21
>It was added the day it was released.
Sorry, I didn't have it in portage, maybe synced against a mirror that wasn't up-to-date.
Wouldn't it be useful to release 1.2.19-r2 and 1.2.20-r2 which - after installing - prints out a message that it's insecure? Or mask mask 1.2.19 and 1.2.20?
In my opinion, people should at least know that they install an insecure version.
Sorry, but I don't know what's the common way of handling this.
People do not always see the messages or log files. I will likely p.mask once 1.2.21 is stabilized. I must add a message when I p.mask and that anyone trying to emerge the package will see.
>People do not always see the messages or log files.
Sure, but adding messages can't harm anyone.
>I will likely p.mask once 1.2.21 is stabilized. I must add a message when I
>p.mask and that anyone trying to emerge the package will see.
Ah, fine! Thanks for the info. :)
After upgrading mod_jk apache didn't start. Found that mod_jk is responsible because it tries to create a log file in /etc/apache2/log which is a bad location for log files.
Error message from apache is
[Thu Mar 08 14:04:09 2007] [error] (2)No such file or directory: mod_jk: could not open JkLog file /etc/apache2/log/mod_jk.log
In /etc/apache2/modules.d/88_mod_jk.conf I changed the line
After that everything is fine again. Please consider changing the default location for the log file.
ready for glsa
(In reply to comment #9)
> In /etc/apache2/modules.d/88_mod_jk.conf I changed the line
> JkLogFile /etc/apache2/log/mod_jk.log
> JkLogFile /var/log/apache2/mod_jk.log
> After that everything is fine again. Please consider changing the default
> location for the log file.
Sorry about that, I corrected the path and just committed to tree.
All stable versions gone.
New version 1.2.21-r2 is unstable...
Yes another one in a series. :( Copied ebuild for revision before I cvs'd up, and when I did the previous version was updated to stable. But my bumped version was not. OOOPPPS. Got rid of other versions due to security issue. Just committed should hit mirrors in a few hours. Very sorry.
This has been stabilized and vulnerable versions removed. Closing bug.
Reopening this since it shouldn't have been closed.