Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 265455 (CVE-2008-5519) - <www-apache/mod_jk-1.2.27: Information disclosure (CVE-2008-5519)
Summary: <www-apache/mod_jk-1.2.27: Information disclosure (CVE-2008-5519)
Status: RESOLVED FIXED
Alias: CVE-2008-5519
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://tomcat.apache.org/security-jk....
Whiteboard: B4 [glsa]
Keywords:
: 265010 (view as bug list)
Depends on: 265010
Blocks:
  Show dependency tree
 
Reported: 2009-04-08 14:40 UTC by Alex Legler (RETIRED)
Modified: 2009-06-29 22:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-04-08 14:40:04 UTC
From Mark Thomas <markt@apache.org> via bugtraq:

Vulnerability announcement:
CVE-2008-5519: Apache Tomcat mod_jk information disclosure vulnerability

Versions Affected:
mod_jk 1.2.0 to 1.2.26

Description:
Situations where faulty clients set Content-Length without providing
data, or where a user submits repeated requests very quickly may permit
one user to view the response associated with a different user's request.

Mitigation:
Upgrade to mod_jk 1.2.27 or later
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-04-08 14:40:55 UTC
Stabling via bug 265010.
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-04-10 20:28:53 UTC
CVE-2008-5519 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5519):
  The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat
  allows remote attackers to obtain sensitive information via an
  arbitrary request from an HTTP client, in opportunistic circumstances
  involving (1) a request from a different client that included a
  Content-Length header but no POST data or (2) a rapid series of
  requests, related to noncompliance with the AJP protocol's
  requirements for requests containing Content-Length headers.

Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-04-16 22:37:38 UTC
*** Bug 265010 has been marked as a duplicate of this bug. ***
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-04-16 22:38:02 UTC
Testing guide: http://www.gentoo.org/proj/en/java/getting-involved.xml#doc_chap1
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-04-16 22:38:12 UTC
Arches, please test and mark stable:
=www-apache/mod_jk-1.2.27
Target keywords : "amd64 ppc x86"
Comment 6 nixnut (RETIRED) gentoo-dev 2009-04-18 08:18:41 UTC
ppc stable
Comment 7 Markus Meier gentoo-dev 2009-04-18 11:57:36 UTC
amd64/x86 stable, all arches done.
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-04-18 12:25:06 UTC
glsa decision, I vote NO.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-12 22:19:37 UTC
But I vote YES. :P
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2009-06-24 16:46:18 UTC
YES too, request filed.
Comment 11 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-06-29 22:44:53 UTC
GLSA 200906-04