Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 551216 (CVE-2014-8111) - <www-apache/mod_jk-1.2.42: information disclosure of private or restricted files (CVE-2014-8111)
Summary: <www-apache/mod_jk-1.2.42: information disclosure of private or restricted fi...
Status: RESOLVED FIXED
Alias: CVE-2014-8111
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Deadline: 2017-07-05
Assignee: Gentoo Security
URL: https://web.nvd.nist.gov/view/vuln/de...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-04 13:23 UTC by Sam James
Modified: 2017-08-09 02:42 UTC (History)
2 users (show)

See Also:
Package list:
=www-apache/mod_jk-1.2.42
Runtime testing required: No
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2015-06-04 13:23:45 UTC
From above URL:
----
Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified vectors.
----
Affected versions: < 1.2.41
Version in tree:
1.2.40 (stable) (vulnerable)
1.2.37 (stable) (vulnerable)

https://security-tracker.debian.org/tracker/CVE-2014-8111

Reproducible: Always
Comment 1 Patrice Clement gentoo-dev 2015-06-09 08:29:25 UTC
http://tomcat.apache.org/connectors-doc/

As of now (09/06/2015), mod_jk 1.2.41 hasn't been publicly released yet. Very odd since the CVE mentions it.

The only sources available for this version that I've found are those hosted in rjung's (which seems to be the main developer behind mod_jk) public homedir.

http://people.apache.org/~rjung/mod_jk-dev/

They're tagged as a "dev" release and we don't want to package that sort of stuff.

Let's put this on hold until 1.2.41 comes out.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-06-13 07:51:42 UTC
CVE-2014-8111 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8111):
  Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for
  subtrees of previous JkMount rules, which allows remote attackers to access
  otherwise restricted artifacts via unspecified vectors.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-18 03:36:44 UTC
@maintainer(s), 1.2.41 is available upstream.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-28 08:07:59 UTC
No rdeps.
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-06-05 16:20:44 UTC
# Michał Górny <mgorny@gentoo.org> (05 Jun 2017)
# (on behalf of Treecleaner project)
# Unmaintained in Gentoo. Security vulnerability. No reverse
# dependencies. Removal in 30 days. Bug #551216.
www-apache/mod_jk
Comment 6 Luca Santarelli 2017-06-10 08:05:39 UTC
Today I was prompted by the masked notification due to no mantainership, security vulnerabilities and no RDEPS.

I'd like to point out that:

1. p.g.o lists Mike Weissman (plus the Java and Proxy Mantainers team) as mantainer. Has Mike retired? If yes, what about the Java team? What would be required to proxy mantain this package?

2. Upstream is alive (current release: 1.2.42) and the security vulnerability mentione in this bug has been long fixed.

3. There are no RDEPS because of how the www-servers/tomcat ebuild is written (this could be a bug on its own). This is an apache (httpd) module which allows to connect an httpd front-end to a tomcat application server, kinda like a reverse-proxy. It could be made explicit through a USE "apache" flag in the www-servers/tomcat ebuild.

Is this enough to keep the package in portage? What is required?
Comment 7 Thomas Deutschmann gentoo-dev Security 2017-06-10 13:43:08 UTC
(In reply to Luca Santarelli from comment #6)
> 1. p.g.o lists Mike Weissman (plus the Java and Proxy Mantainers team) as
> mantainer. Has Mike retired? If yes, what about the Java team? What would be
> required to proxy mantain this package?

Mike is CC'ed since 2015. No reaction yet. So it looks like the proxy-maintainer is gone...

The JAVA project has shown now interests in this package.

For proxy-mataining this package please read https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers#Getting_Started. You basically have to file a maintainership request. But please do this together with an actual pull request/patch addressing all vulnerabilities showing to show us that you are capable to maintain the package (don't worry if you aren't able at the moment. The proxy-maintainer project will help you. However, the deadline won't move (but package could be added back once it is in a good shape again).



> 3. There are no RDEPS because of how the www-servers/tomcat ebuild is
> written (this could be a bug on its own). This is an apache (httpd) module
> which allows to connect an httpd front-end to a tomcat application server,
> kinda like a reverse-proxy. It could be made explicit through a USE "apache"
> flag in the www-servers/tomcat ebuild.
> 
> Is this enough to keep the package in portage? What is required?

No. A RDEP wouldn't prevent the removal (it would only require more work, because we would have to remove the RDEP first).

If you or somebody else bumps the package to a current version, current EAPI... and promise to take care of the package in future, we will keep it.
Comment 8 Timo Gurr 2017-06-21 09:38:51 UTC
(In reply to Thomas Deutschmann from comment #7)
> (In reply to Luca Santarelli from comment #6)
> > 1. p.g.o lists Mike Weissman (plus the Java and Proxy Mantainers team) as
> > mantainer. Has Mike retired? If yes, what about the Java team? What would be
> > required to proxy mantain this package?
> 
> Mike is CC'ed since 2015. No reaction yet. So it looks like the
> proxy-maintainer is gone...
> 
> The JAVA project has shown now interests in this package.
> 
> For proxy-mataining this package please read
> https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers#Getting_Started. You
> basically have to file a maintainership request. But please do this together
> with an actual pull request/patch addressing all vulnerabilities showing to
> show us that you are capable to maintain the package (don't worry if you
> aren't able at the moment. The proxy-maintainer project will help you.
> However, the deadline won't move (but package could be added back once it is
> in a good shape again).

I made a pull request for the version bump: https://github.com/gentoo/gentoo/pull/4962
I may be retired and never have been the most active dev for sure, but for the moment I rely on that package on multiple production servers so it would be a shame to see it being removed.
Comment 9 Patrice Clement gentoo-dev 2017-06-23 15:23:55 UTC
commit 2620cebb313f435d213434e210692a0744fb7475 (HEAD -> master, origin/master, origin/HEAD)
Author:     Timo Gurr <timo.gurr@gmail.com>
AuthorDate: Tue Jun 20 15:23:59 2017 +0200
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: Fri Jun 23 17:22:37 2017 +0200

www-apache/mod_jk: version bump to 1.2.42.

Gentoo-Bug: https://bugs.gentoo.org/551216

Closes: https://github.com/gentoo/gentoo/pull/4962

www-apache/mod_jk/Manifest             |  1 +
www-apache/mod_jk/files/88_mod_jk.conf |  5 +++
www-apache/mod_jk/mod_jk-1.2.42.ebuild | 60 ++++++++++++++++++++++++++++++++++
3 files changed, 66 insertions(+)
create mode 100644 www-apache/mod_jk/mod_jk-1.2.42.ebuild
Comment 10 Patrice Clement gentoo-dev 2017-06-23 15:26:30 UTC
commit de1f48e9ce490960a0bed73852287f4be647e808 (HEAD -> master, origin/master, origin/HEAD)
Author:     Patrice Clement <monsieurp@gentoo.org>
AuthorDate: Fri Jun 23 17:25:23 2017 +0200
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: Fri Jun 23 17:25:27 2017 +0200

profiles/package.mask: remove www-apache/mod_jk entry.

Gentoo-Bug: https://bugs.gentoo.org/551216

profiles/package.mask | 6 ------
1 file changed, 6 deletions(-)
Comment 11 Patrice Clement gentoo-dev 2017-06-23 15:29:10 UTC
Thanks Timo for your work and the PR. I have removed Mike and Proxy-maintainers from the list of maintainers in the metadata.xml file. If you would like to take over maintainership along with us (Java), let me know.

@Security: please proceed.
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-07-15 22:11:53 UTC
@arches, please stabilize.
Comment 13 Tobias Klausmann gentoo-dev 2017-07-16 09:19:50 UTC
Stable on amd64.
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-08-06 17:03:41 UTC
x86 stable

GLSA Vote: No
Comment 15 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-08-09 02:42:14 UTC
cleanup complete in coordination with monsieurp from java team.