Gentoo Archives: gentoo-commits

From: "Alex Legler (a3li)" <a3li@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-200906-04.xml
Date: Mon, 29 Jun 2009 22:43:39
Message-Id: E1MLPZZ-0000mT-I1@stork.gentoo.org
1 a3li 09/06/29 22:43:37
2
3 Added: glsa-200906-04.xml
4 Log:
5 GLSA 200906-04
6
7 Revision Changes Path
8 1.1 xml/htdocs/security/en/glsa/glsa-200906-04.xml
9
10 file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200906-04.xml?rev=1.1&view=markup
11 plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200906-04.xml?rev=1.1&content-type=text/plain
12
13 Index: glsa-200906-04.xml
14 ===================================================================
15 <?xml version="1.0" encoding="utf-8"?>
16 <?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>
17 <?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
18 <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
19
20 <glsa id="200906-04">
21 <title>Apache Tomcat JK Connector: Information disclosure</title>
22 <synopsis>
23 An error in the Apache Tomcat JK Connector might allow for an information
24 disclosure flaw.
25 </synopsis>
26 <product type="ebuild">mod_jk</product>
27 <announced>June 29, 2009</announced>
28 <revised>June 29, 2009: 01</revised>
29 <bug>265455</bug>
30 <access>remote</access>
31 <affected>
32 <package name="www-apache/mod_jk" auto="yes" arch="*">
33 <unaffected range="ge">1.2.27</unaffected>
34 <vulnerable range="lt">1.2.27</vulnerable>
35 </package>
36 </affected>
37 <background>
38 <p>
39 The Apache Tomcat JK Connector (aka mod_jk) connects the Tomcat
40 application server with the Apache HTTP Server.
41 </p>
42 </background>
43 <description>
44 <p>
45 The Red Hat Security Response Team discovered that mod_jk does not
46 properly handle (1) requests setting the "Content-Length" header while
47 not providing data and (2) clients sending repeated requests very
48 quickly.
49 </p>
50 </description>
51 <impact type="low">
52 <p>
53 A remote attacker could send specially crafted requests or a large
54 number of requests at a time, possibly resulting in the disclosure of a
55 response intended for another client.
56 </p>
57 </impact>
58 <workaround>
59 <p>
60 There is no known workaround at this time.
61 </p>
62 </workaround>
63 <resolution>
64 <p>
65 All Apache Tomcat JK Connector users should upgrade to the latest
66 version:
67 </p>
68 <code>
69 # emerge --sync
70 # emerge --ask --oneshot --verbose &quot;&gt;=www-apache/mod_jk-1.2.27&quot;</code>
71 </resolution>
72 <references>
73 <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5519">CVE-2008-5519</uri>
74 </references>
75 <metadata tag="requester" timestamp="Wed, 24 Jun 2009 16:46:40 +0000">
76 keytoaster
77 </metadata>
78 <metadata tag="submitter" timestamp="Sun, 28 Jun 2009 12:27:09 +0000">
79 a3li
80 </metadata>
81 <metadata tag="bugReady" timestamp="Mon, 29 Jun 2009 22:42:43 +0000">
82 a3li
83 </metadata>
84 </glsa>