lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 20 Dec 2018 22:25:19 +0000
From: Salvatore Bonaccorso <carnil@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 4357-1] libapache-mod-jk security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4357-1                   security@...ian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 20, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libapache-mod-jk
CVE ID         : CVE-2018-11759

Raphael Arrouas and Jean Lejeune discovered an access control bypass
vulnerability in mod_jk, the Apache connector for the Tomcat Java
servlet engine. The vulnerability is addressed by upgrading mod_jk to
the new upstream version 1.2.46, which includes additional changes.

 https://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html#Changes_between_1.2.42_and_1.2.43
 https://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html#Changes_between_1.2.43_and_1.2.44
 https://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html#Changes_between_1.2.44_and_1.2.45
 https://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html#Changes_between_1.2.45_and_1.2.46

For the stable distribution (stretch), this problem has been fixed in
version 1:1.2.46-0+deb9u1.

We recommend that you upgrade your libapache-mod-jk packages.

For the detailed security status of libapache-mod-jk please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/libapache-mod-jk

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@...ts.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlwcFXJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Qu7Q/6A6UGJsGJox6vlwjOso6/n0kSUW+Q/ojIL5O3BkDgxY4SkZ0Aw3OBWuj4
b4WimxndglxjA2/Lx5NPzthA82kSSYVJWkngjlhRCIX1eqFadpHrkXVPb1pBxvQ5
/JJsArO0X01qQQPlqsjSHtWQVDlRsELwycb48B+3u7Si9LUiyg5Z2kaBSanWvYNw
zDwludKjJpvMg8XoqR1dvrycXPK5NDkfqAud22cquog8XCNpc/jDNPMFLHwXQp1H
JJgLpIIJncHB9CPbi+7rMYpNsRBnAQNEcz6LGjsWY7fkgSfJfx/P8ezYjliDY7xf
EzxFDNXj+LHs1xH/7cTkf5+EX+rjU8lonPEAxqXpsZ9OKqGZfUBUAM7dyUWoMAMI
W0EB1Hr3ysa69V5EjGMdp2djH56OcMAAYB/uHu+R0p4YrE0Ivkx5XfUglnYLa9Wa
X9+jVf5Unp4qRNuCVwaI2k9P2u60UZezYx6hjMG81nxkZLDg6CAzDcVqGYR+dS4D
Z8wY0ya6NOMwnrkhuJfTX1LONbkwgzvNh/EvAZNduy6r8x62Sff7PVtaRWf2LjXq
sjjs9IT9Tc7Ta96GcR/nXkLc+VVdefvf2hZ29BDhEWovYhnb9X4k8Wsd2e/x4NFW
uz4nNmazB9Yyj1QD3G5DN7tfIoJ+iSuqIWtJqLIiOY7/VO+scPs=
=CyjI
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists