Bug 109949

Summary: [patch] www/mod_jk security update to 1.2.21
Product: Ports & Packages Reporter: Nick Barkas <snb>
Component: Individual Port(s)Assignee: Palle Girgensohn <girgen>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description Nick Barkas 2007-03-05 21:10:05 UTC 
The Apache Tomcat Connector versions 1.2.19 and 1.2.20 have a stack buffer overflow vulnerability in the map_uri_to_worker() in the mod_jk.so library, triggered by certain long URLs. This allows for arbitrary remote code execution.

See: http://tomcat.apache.org/security-jk.html
http://www.zerodayinitiative.com/advisories/ZDI-07-008.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0774

Fix: The attached patch updates the www/mod_jk port to 1.2.21, which should have this vulnerability fixed. It would probably be a good idea to make note of this vulnerability in the VuXML document, as it appears to be rather severe.


Patch attached with submission follows:
How-To-Repeat: I have not seen any specific exploits.
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2007-03-05 21:10:14 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->girgen

Over to maintainer
Comment 2 dfilter service freebsd_committer freebsd_triage 2007-03-07 16:02:14 UTC 
girgen      2007-03-07 16:02:05 UTC

  FreeBSD ports repository

  Modified files:
    www/mod_jk           Makefile distinfo 
  Log:
  Upgrade to 1.2.21 to fix a security issue.
  
  Security: http://vuxml.FreeBSD.org/cf86c644-cb6c-11db-8e9d-000c6ec775d9.html
  PR:       ports/109949
  
  Revision  Changes    Path
  1.36      +1 -3      ports/www/mod_jk/Makefile
  1.14      +3 -3      ports/www/mod_jk/distinfo
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 3 Palle Girgensohn freebsd_committer freebsd_triage 2007-03-07 16:02:46 UTC 
State Changed
From-To: open->closed

Committed. Thanks!