libapache-mod-jk (1:1.2.49-1)
[PTS] [DDPO]
OK: VCS matches the version in the archive
- Git: https://salsa.debian.org/java-team/libapache-mod-jk.git
-
- Branch: master
- Path: debian/changelog
- Repo size: 532480
- Browser: https://salsa.debian.org/java-team/libapache-mod-jk
- Last scan: 2024-10-15 14:01:18+00
- Next scan: 2024-10-21 17:08:00+00
- Debian changelog in Git:
libapache-mod-jk (1:1.2.49-1) unstable; urgency=high
* New upstream version 1.2.49.
- Fix CVE-2023-41081:
The mod_jk component of Apache Tomcat Connectors in some circumstances,
such as when a configuration included "JkOptions +ForwardDirectories" but
the configuration did not provide explicit mounts for all possible
proxied requests, mod_jk would use an implicit mapping and map the
request to the first defined worker. Such an implicit mapping could
result in the unintended exposure of the status worker and/or bypass
security constraints configured in httpd. As of JK 1.2.49, the implicit
mapping functionality has been removed and all mappings must now be via
explicit configuration. (Closes: #1051956)
Thanks to Salvatore Bonaccorso for the report.
-- Markus Koschany <apo@debian.org> Fri, 15 Sep 2023 00:25:01 +0200
- This branch is even with tag debian/1%1.2.49-1