You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jakob Ericsson <ja...@gmail.com> on 2009/04/17 09:14:35 UTC
Re: [SECURITY] CVE-2008-5519: Apache Tomcat mod_jk information
disclosure vulnerability
Hi,
We are also getting this error in mod_proxy_ajp (2.2.11 on Windows)
Anyone know if this is the same fix?
https://issues.apache.org/bugzilla/show_bug.cgi?id=46949
Seems to be fixed.
/Jakob
On Tue, Apr 7, 2009 at 10:42 PM, Mark Thomas <ma...@apache.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Vulnerability announcement:
> CVE-2008-5519: Apache Tomcat mod_jk information disclosure vulnerability
>
> Severity: important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> mod_jk 1.2.0 to 1.2.26
>
> Description:
> Situations where faulty clients set Content-Length without providing
> data, or where a user submits repeated requests very quickly may permit
> one user to view the response associated with a different user's request.
>
> Mitigation:
> Upgrade to mod_jk 1.2.27 or later
>
> Example:
> See description
>
> Credit:
> This issue was discovered by the Red Hat Security Response Team
>
> References:
> http://tomcat.apache.org/security.html
> http://tomcat.apache.org/security-jk.html
>
> The Apache Tomcat Security Team
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFJ27rAb7IeiTPGAkMRAlsDAJ9qqKPiFnh+rxaxzMZmKIFA5Q5r5QCg2N84
> OzL54gpA6e272kokWjK4wZU=
> =GKVO
> -----END PGP SIGNATURE-----
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Jakob Ericsson, JAKERI AB
Tel. +46 704 533 627
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2008-5519: Apache Tomcat mod_jk information disclosure
vulnerability
Posted by Rainer Jung <ra...@kippdata.de>.
Hi,
the problem is not fixed in httpd 2.2.11. It will be fixed in 2.2.12. A
source patch is available under the URL
http://www.apache.org/dist/httpd/patches/apply_to_2.2.11/
I assume, that you don't build yourself, because most Windows httpd
users start with a binary download. There is no updated (patched)
Windows binary for 2.2.11 until now.
Since you also put this question into the httpd bugzilla issue, I assume
you will get some answer there as well.
It is better to run this discusion either in BZ46949, or on the httpd
list. The tomcat lists are not the right place for topics, that are
related to problems w.r.t. httpd only.
Regards,
Rainer
On 17.04.2009 09:14, Jakob Ericsson wrote:
> Hi,
>
> We are also getting this error in mod_proxy_ajp (2.2.11 on Windows)
>
> Anyone know if this is the same fix?
> https://issues.apache.org/bugzilla/show_bug.cgi?id=46949
>
> Seems to be fixed.
>
> /Jakob
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org