Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-240-1 libapache-mod-jk

Debian Security Advisory

DLA-240-1 libapache-mod-jk -- LTS security update

Date Reported:

09 Jun 2015

Affected Packages:

libapache-mod-jk

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 783233.
In Mitre's CVE dictionary: CVE-2014-8111.

More information:

An information disclosure flaw due to incorrect JkMount/JkUnmount directives processing was found in the Apache 2 module mod_jk to forward requests from the Apache web server to Tomcat. A JkUnmount rule for a subtree of a previous JkMount rule could be ignored. This could allow a remote attacker to potentially access a private artifact in a tree that would otherwise not be accessible to them.

For the squeeze distribution, this problem has been fixed in version 1:1.2.30-1squeeze2.

We recommend that you upgrade your libapache-mod-jk packages.

This update has been prepared by Markus Koschany.