Bug 109949 - [patch] www/mod_jk security update to 1.2.21
Summary: [patch] www/mod_jk security update to 1.2.21
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Palle Girgensohn
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-03-05 21:10 UTC by Nick Barkas
Modified: 2007-03-07 16:10 UTC (History)
0 users

See Also:


Attachments
file.diff (919 bytes, patch)
2007-03-05 21:10 UTC, Nick Barkas
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Nick Barkas 2007-03-05 21:10:05 UTC
The Apache Tomcat Connector versions 1.2.19 and 1.2.20 have a stack buffer overflow vulnerability in the map_uri_to_worker() in the mod_jk.so library, triggered by certain long URLs. This allows for arbitrary remote code execution.

See: http://tomcat.apache.org/security-jk.html
http://www.zerodayinitiative.com/advisories/ZDI-07-008.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0774

Fix: The attached patch updates the www/mod_jk port to 1.2.21, which should have this vulnerability fixed. It would probably be a good idea to make note of this vulnerability in the VuXML document, as it appears to be rather severe.


Patch attached with submission follows:
How-To-Repeat: I have not seen any specific exploits.
Comment 1 Edwin Groothuis freebsd_committer 2007-03-05 21:10:14 UTC
Responsible Changed
From-To: freebsd-ports-bugs->girgen

Over to maintainer
Comment 2 dfilter service freebsd_committer 2007-03-07 16:02:14 UTC
girgen      2007-03-07 16:02:05 UTC

  FreeBSD ports repository

  Modified files:
    www/mod_jk           Makefile distinfo 
  Log:
  Upgrade to 1.2.21 to fix a security issue.
  
  Security: http://vuxml.FreeBSD.org/cf86c644-cb6c-11db-8e9d-000c6ec775d9.html
  PR:       ports/109949
  
  Revision  Changes    Path
  1.36      +1 -3      ports/www/mod_jk/Makefile
  1.14      +3 -3      ports/www/mod_jk/distinfo
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 3 Palle Girgensohn freebsd_committer 2007-03-07 16:02:46 UTC
State Changed
From-To: open->closed

Committed. Thanks!