From above URL: ---- Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified vectors. ---- Affected versions: < 1.2.41 Version in tree: 1.2.40 (stable) (vulnerable) 1.2.37 (stable) (vulnerable) https://security-tracker.debian.org/tracker/CVE-2014-8111 Reproducible: Always
http://tomcat.apache.org/connectors-doc/ As of now (09/06/2015), mod_jk 1.2.41 hasn't been publicly released yet. Very odd since the CVE mentions it. The only sources available for this version that I've found are those hosted in rjung's (which seems to be the main developer behind mod_jk) public homedir. http://people.apache.org/~rjung/mod_jk-dev/ They're tagged as a "dev" release and we don't want to package that sort of stuff. Let's put this on hold until 1.2.41 comes out.
CVE-2014-8111 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8111): Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified vectors.
@maintainer(s), 1.2.41 is available upstream.
No rdeps.
# Michał Górny <mgorny@gentoo.org> (05 Jun 2017) # (on behalf of Treecleaner project) # Unmaintained in Gentoo. Security vulnerability. No reverse # dependencies. Removal in 30 days. Bug #551216. www-apache/mod_jk
Today I was prompted by the masked notification due to no mantainership, security vulnerabilities and no RDEPS. I'd like to point out that: 1. p.g.o lists Mike Weissman (plus the Java and Proxy Mantainers team) as mantainer. Has Mike retired? If yes, what about the Java team? What would be required to proxy mantain this package? 2. Upstream is alive (current release: 1.2.42) and the security vulnerability mentione in this bug has been long fixed. 3. There are no RDEPS because of how the www-servers/tomcat ebuild is written (this could be a bug on its own). This is an apache (httpd) module which allows to connect an httpd front-end to a tomcat application server, kinda like a reverse-proxy. It could be made explicit through a USE "apache" flag in the www-servers/tomcat ebuild. Is this enough to keep the package in portage? What is required?
(In reply to Luca Santarelli from comment #6) > 1. p.g.o lists Mike Weissman (plus the Java and Proxy Mantainers team) as > mantainer. Has Mike retired? If yes, what about the Java team? What would be > required to proxy mantain this package? Mike is CC'ed since 2015. No reaction yet. So it looks like the proxy-maintainer is gone... The JAVA project has shown now interests in this package. For proxy-mataining this package please read https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers#Getting_Started. You basically have to file a maintainership request. But please do this together with an actual pull request/patch addressing all vulnerabilities showing to show us that you are capable to maintain the package (don't worry if you aren't able at the moment. The proxy-maintainer project will help you. However, the deadline won't move (but package could be added back once it is in a good shape again). > 3. There are no RDEPS because of how the www-servers/tomcat ebuild is > written (this could be a bug on its own). This is an apache (httpd) module > which allows to connect an httpd front-end to a tomcat application server, > kinda like a reverse-proxy. It could be made explicit through a USE "apache" > flag in the www-servers/tomcat ebuild. > > Is this enough to keep the package in portage? What is required? No. A RDEP wouldn't prevent the removal (it would only require more work, because we would have to remove the RDEP first). If you or somebody else bumps the package to a current version, current EAPI... and promise to take care of the package in future, we will keep it.
(In reply to Thomas Deutschmann from comment #7) > (In reply to Luca Santarelli from comment #6) > > 1. p.g.o lists Mike Weissman (plus the Java and Proxy Mantainers team) as > > mantainer. Has Mike retired? If yes, what about the Java team? What would be > > required to proxy mantain this package? > > Mike is CC'ed since 2015. No reaction yet. So it looks like the > proxy-maintainer is gone... > > The JAVA project has shown now interests in this package. > > For proxy-mataining this package please read > https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers#Getting_Started. You > basically have to file a maintainership request. But please do this together > with an actual pull request/patch addressing all vulnerabilities showing to > show us that you are capable to maintain the package (don't worry if you > aren't able at the moment. The proxy-maintainer project will help you. > However, the deadline won't move (but package could be added back once it is > in a good shape again). I made a pull request for the version bump: https://github.com/gentoo/gentoo/pull/4962 I may be retired and never have been the most active dev for sure, but for the moment I rely on that package on multiple production servers so it would be a shame to see it being removed.
commit 2620cebb313f435d213434e210692a0744fb7475 (HEAD -> master, origin/master, origin/HEAD) Author: Timo Gurr <timo.gurr@gmail.com> AuthorDate: Tue Jun 20 15:23:59 2017 +0200 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: Fri Jun 23 17:22:37 2017 +0200 www-apache/mod_jk: version bump to 1.2.42. Gentoo-Bug: https://bugs.gentoo.org/551216 Closes: https://github.com/gentoo/gentoo/pull/4962 www-apache/mod_jk/Manifest | 1 + www-apache/mod_jk/files/88_mod_jk.conf | 5 +++ www-apache/mod_jk/mod_jk-1.2.42.ebuild | 60 ++++++++++++++++++++++++++++++++++ 3 files changed, 66 insertions(+) create mode 100644 www-apache/mod_jk/mod_jk-1.2.42.ebuild
commit de1f48e9ce490960a0bed73852287f4be647e808 (HEAD -> master, origin/master, origin/HEAD) Author: Patrice Clement <monsieurp@gentoo.org> AuthorDate: Fri Jun 23 17:25:23 2017 +0200 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: Fri Jun 23 17:25:27 2017 +0200 profiles/package.mask: remove www-apache/mod_jk entry. Gentoo-Bug: https://bugs.gentoo.org/551216 profiles/package.mask | 6 ------ 1 file changed, 6 deletions(-)
Thanks Timo for your work and the PR. I have removed Mike and Proxy-maintainers from the list of maintainers in the metadata.xml file. If you would like to take over maintainership along with us (Java), let me know. @Security: please proceed.
@arches, please stabilize.
Stable on amd64.
x86 stable GLSA Vote: No
cleanup complete in coordination with monsieurp from java team.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7e92f5b2cb446a90c48e714f2e0f83afdadd6b3 commit c7e92f5b2cb446a90c48e714f2e0f83afdadd6b3 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2021-04-04 08:24:50 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2021-04-04 13:19:36 +0000 profiles: Mask www-apache/mod_jk for removal Package needs a real maintainer to fix broken IUSE=java and version bump. Bug #778758 contains a version bump with java removed. Do pick it up. Removal on 2021-05-04. Bug: https://bugs.gentoo.org/551216 Bug: https://bugs.gentoo.org/778758 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> profiles/package.mask | 6 ++++++ 1 file changed, 6 insertions(+)
