Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 186218 - www-apache/mod_jk < 1.2.23 URL crafted prefix issue (CVE-2007-1860)
Summary: www-apache/mod_jk < 1.2.23 URL crafted prefix issue (CVE-2007-1860)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-07-22 12:26 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2007-08-19 23:01 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-07-22 12:26:16 UTC
mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-22 14:01:06 UTC
version 1.2.23 is already in the tree but unstable, are we ready to call arches for stabilisation? William, please advise.
Comment 2 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-07-22 16:31:45 UTC
Yes we should be good to go for stabilization. Sorry I had not requested it sooner, kinda been tied up with other things. CC'ing archs now for stabilization of 1.2.23.
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2007-07-25 09:21:19 UTC
x86 stable
Comment 4 William L. Thomson Jr. (RETIRED) gentoo-dev 2007-07-25 15:05:05 UTC
amd64 stable
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2007-07-27 21:04:13 UTC
ppc stable, ready for glsa-voting. on a side-note: debian and red hat released advisories.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-07-28 07:42:11 UTC
I vote YES.
Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-29 22:07:08 UTC
voting yes too, let's have a GLSA on this one.
Comment 8 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-08-19 23:01:20 UTC
GLSA 200708-15, thanks everybody