mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.
version 1.2.23 is already in the tree but unstable, are we ready to call arches for stabilisation? William, please advise.
Yes we should be good to go for stabilization. Sorry I had not requested it sooner, kinda been tied up with other things. CC'ing archs now for stabilization of 1.2.23.
x86 stable
amd64 stable
ppc stable, ready for glsa-voting. on a side-note: debian and red hat released advisories.
I vote YES.
voting yes too, let's have a GLSA on this one.
GLSA 200708-15, thanks everybody