The Apache Tomcat Connector versions 1.2.19 and 1.2.20 have a stack buffer overflow vulnerability in the map_uri_to_worker() in the mod_jk.so library, triggered by certain long URLs. This allows for arbitrary remote code execution. See: http://tomcat.apache.org/security-jk.html http://www.zerodayinitiative.com/advisories/ZDI-07-008.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0774 Fix: The attached patch updates the www/mod_jk port to 1.2.21, which should have this vulnerability fixed. It would probably be a good idea to make note of this vulnerability in the VuXML document, as it appears to be rather severe. Patch attached with submission follows: How-To-Repeat: I have not seen any specific exploits.
Responsible Changed From-To: freebsd-ports-bugs->girgen Over to maintainer
girgen 2007-03-07 16:02:05 UTC FreeBSD ports repository Modified files: www/mod_jk Makefile distinfo Log: Upgrade to 1.2.21 to fix a security issue. Security: http://vuxml.FreeBSD.org/cf86c644-cb6c-11db-8e9d-000c6ec775d9.html PR: ports/109949 Revision Changes Path 1.36 +1 -3 ports/www/mod_jk/Makefile 1.14 +3 -3 ports/www/mod_jk/distinfo _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Committed. Thanks!