File _patchinfo of Package patchinfo.31428
<patchinfo incident="31428">
<issue tracker="bnc" id="1114612">VUL-0: CVE-2018-11759: apache2-mod_jk: connector path traversal due to mishandled HTTP requests in httpd</issue>
<issue tracker="cve" id="2018-11759"/>
<packager>gkenion</packager>
<rating>important</rating>
<category>security</category>
<summary>Security update for apache2-mod_jk</summary>
<description>This update for apache2-mod_jk fixes the following issues:
Update to version 1.2.49:
Apache
* Retrieve default request id from mod_unique_id. It can also be
taken from an arbitrary environment variable by configuring
"JkRequestIdIndicator".
* Don't delegate the generatation of the response body to httpd
when the status code represents an error if the request used
the HEAD method.
* Only export the main module symbol. Visibility of module
internal symbols led to crashes when conflicting with library
symbols. Based on a patch provided by Josef Čejka.
* Remove support for implicit mapping of requests to workers.
All mappings must now be explicit.
IIS
* Set default request id as a GUID. It can also be taken from an
arbitrary request header by configuring "request_id_header".
* Fix non-empty check for the Translate header.
Common
* Fix compiler warning when initializing and copying fixed
length strings.
* Add a request id to mod_jk log lines.
* Enable configure to find the correct sizes for pid_t and
pthread_t when building on MacOS.
* Fix Clang 15/16 compatability. Pull request #6 provided by
Sam James.
* Improve XSS hardening in status worker.
* Add additional bounds and error checking when reading AJP
messages.
Docs
* Remove support for the Netscape / Sun ONE / Oracle iPlanet Web
Server as the product has been retired.
* Remove links to the old JK2 documentation. The JK2
documentation is still available, it is just no longer linked
from the current JK documentation.
* Restructure subsections in changelog starting with version
1.2.45.
Changes for 1.2.47 and 1.2.48 updates:
* Add: Apache: Extend trace level logging of method entry/exit to
aid debugging of request mapping issues.
* Fix: Apache: Fix a bug in the normalization checks that prevented
file based requests, such as SSI file includes, from being processed.
* Fix: Apache: When using JkAutoAlias, ensure that files that include
spaces in their name are accessible.
* Update: Common: Update the documentation to reflect that the source
code for the Apache Tomcat Connectors has moved from Subversion to Git.
* Fix: Common: When using set_session_cookie, ensure that an updated session
cookie is issued if the load-balancer has to failover to a different worker.
* Update: Common: Update config.guess and config.sub from
https://git.savannah.gnu.org/git/config.git.
* Update: Common: Update release script for migration to git.
Update to version 1.2.46
Fixes:
* Apache: Fix regression in 1.2.44 which resulted in
socket_connect_timeout to be interpreted in units of seconds
instead of milliseconds on platforms that provide poll(). (rjung)
* Security: CVE-2018-11759 Connector path traversal [bsc#1114612]
Update to version 1.2.45
Fixes:
* Correct regression in 1.2.44 that broke request handling for
OPTIONS * requests. (rjung)
* Improve path parameter parsing so that the session ID specified
by the session_path worker property for load-balanced workers
can be extracted from a path parameter in any segment of the
URI, rather than only from the final segment. (markt)
* Apache: Improve path parameter handling so that JkStripSession
can remove session IDs that are specified on path parameters in any
segment of the URI rather than only the final segment. (markt)
* IIS: Improve path parameter handling so that strip_session can
remove session IDs that are specified on path parameters in any
segment of the URI rather than only the final segment. (markt)
Updates:
* Apache: Update the documentation to note additional
limitations of the JkAutoAlias directive. (markt)
Code:
* Common: Optimize path parameter handling. (rjung)
Update to version 1.2.44
Updates:
* Remove the Novell Netware make files and Netware specific source
code since there has not been a supported version of Netware
available for over five years. (markt)
* Apache: Update the documentation to use httpd 2.4.x style access
control directives. (markt)
* Update PCRE bundled with the ISAPI redirector to 8.42. (rjung)
* Update config.guess and config.sub from
https://git.savannah.gnu.org/git/config.git. (rjung)
Fixes:
* Common: Use Local, rather than Global, mutexs on Windows to
better support multi-user environments. (markt)
* Apache: Use poll rather than select to avoid the limitations of
select triggering an httpd crash. Patch provided by Koen Wilde. (markt)
* ISAPI: Remove the check that rejects requests that contain path
segments that match WEB-INF or META-INF as it duplicates a check
that Tomcat performs and, because ISAPI does not have visibility of
the current context path, it is impossible to implement this check
without valid requests being rejected. (markt)
* Refactor normalisation of request URIs to a common location and align
the normalisation implementation for mod_jk with that implemented by
Tomcat. (markt)
Add:
* Clarify the behvaiour of lb workers when all ajp13 workers fail with
particular reference to the role of the retries attribute. (markt)
* Add the new load-balancer worker property lb_retries to improve the
control over the number of retries. Based on a patch provided by
Frederik Nosi. (markt)
* Add a note to the documentation that the CollapseSlashes options are
now effectively hard-coded to CollpaseSlashesAll due to the changes
made to align normalization with that implemented in Tomcat. (markt)
</description>
</patchinfo>
