SUSE-SU-2023:4513-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2023:4513-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2023:4513-1
Related
Published
2023-11-21T16:25:57Z
Modified
2023-11-21T16:25:57Z
Summary
Security update for apache2-mod_jk
Details

This update for apache2-mod_jk fixes the following issues:

Update to version 1.2.49: Apache * Retrieve default request id from moduniqueid. It can also be taken from an arbitrary environment variable by configuring 'JkRequestIdIndicator'. * Don't delegate the generatation of the response body to httpd when the status code represents an error if the request used the HEAD method. * Only export the main module symbol. Visibility of module internal symbols led to crashes when conflicting with library symbols. Based on a patch provided by Josef Čejka. * Remove support for implicit mapping of requests to workers. All mappings must now be explicit. IIS * Set default request id as a GUID. It can also be taken from an arbitrary request header by configuring 'requestidheader'. * Fix non-empty check for the Translate header. Common * Fix compiler warning when initializing and copying fixed length strings. * Add a request id to modjk log lines. * Enable configure to find the correct sizes for pidt and pthread_t when building on MacOS. * Fix Clang 15/16 compatability. Pull request #6 provided by Sam James. * Improve XSS hardening in status worker. * Add additional bounds and error checking when reading AJP messages. Docs * Remove support for the Netscape / Sun ONE / Oracle iPlanet Web Server as the product has been retired. * Remove links to the old JK2 documentation. The JK2 documentation is still available, it is just no longer linked from the current JK documentation. * Restructure subsections in changelog starting with version 1.2.45.

Changes for 1.2.47 and 1.2.48 updates: * Add: Apache: Extend trace level logging of method entry/exit to aid debugging of request mapping issues. * Fix: Apache: Fix a bug in the normalization checks that prevented file based requests, such as SSI file includes, from being processed. * Fix: Apache: When using JkAutoAlias, ensure that files that include spaces in their name are accessible. * Update: Common: Update the documentation to reflect that the source code for the Apache Tomcat Connectors has moved from Subversion to Git. * Fix: Common: When using setsessioncookie, ensure that an updated session cookie is issued if the load-balancer has to failover to a different worker. * Update: Common: Update config.guess and config.sub from https://git.savannah.gnu.org/git/config.git. * Update: Common: Update release script for migration to git.

Update to version 1.2.46 Fixes: * Apache: Fix regression in 1.2.44 which resulted in socketconnecttimeout to be interpreted in units of seconds instead of milliseconds on platforms that provide poll(). (rjung) * Security: CVE-2018-11759 Connector path traversal [bsc#1114612]

Update to version 1.2.45 Fixes: * Correct regression in 1.2.44 that broke request handling for OPTIONS * requests. (rjung) * Improve path parameter parsing so that the session ID specified by the sessionpath worker property for load-balanced workers can be extracted from a path parameter in any segment of the URI, rather than only from the final segment. (markt) * Apache: Improve path parameter handling so that JkStripSession can remove session IDs that are specified on path parameters in any segment of the URI rather than only the final segment. (markt) * IIS: Improve path parameter handling so that stripsession can remove session IDs that are specified on path parameters in any segment of the URI rather than only the final segment. (markt) Updates: * Apache: Update the documentation to note additional limitations of the JkAutoAlias directive. (markt) Code: * Common: Optimize path parameter handling. (rjung)

Update to version 1.2.44 Updates: * Remove the Novell Netware make files and Netware specific source code since there has not been a supported version of Netware available for over five years. (markt) * Apache: Update the documentation to use httpd 2.4.x style access control directives. (markt) * Update PCRE bundled with the ISAPI redirector to 8.42. (rjung) * Update config.guess and config.sub from https://git.savannah.gnu.org/git/config.git. (rjung) Fixes: * Common: Use Local, rather than Global, mutexs on Windows to better support multi-user environments. (markt) * Apache: Use poll rather than select to avoid the limitations of select triggering an httpd crash. Patch provided by Koen Wilde. (markt) * ISAPI: Remove the check that rejects requests that contain path segments that match WEB-INF or META-INF as it duplicates a check that Tomcat performs and, because ISAPI does not have visibility of the current context path, it is impossible to implement this check without valid requests being rejected. (markt) * Refactor normalisation of request URIs to a common location and align the normalisation implementation for modjk with that implemented by Tomcat. (markt) Add: * Clarify the behvaiour of lb workers when all ajp13 workers fail with particular reference to the role of the retries attribute. (markt) * Add the new load-balancer worker property lbretries to improve the control over the number of retries. Based on a patch provided by Frederik Nosi. (markt) * Add a note to the documentation that the CollapseSlashes options are now effectively hard-coded to CollpaseSlashesAll due to the changes made to align normalization with that implemented in Tomcat. (markt)

References

Affected packages

SUSE:Linux Enterprise Module for Server Applications 15 SP4 / apache2-mod_jk

Package

Name
apache2-mod_jk
Purl
purl:rpm/suse/apache2-mod_jk&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.49-150100.6.6.1

Ecosystem specific

{
    "binaries": [
        {
            "apache2-mod_jk": "1.2.49-150100.6.6.1"
        }
    ]
}

SUSE:Linux Enterprise Module for Server Applications 15 SP5 / apache2-mod_jk

Package

Name
apache2-mod_jk
Purl
purl:rpm/suse/apache2-mod_jk&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.49-150100.6.6.1

Ecosystem specific

{
    "binaries": [
        {
            "apache2-mod_jk": "1.2.49-150100.6.6.1"
        }
    ]
}

openSUSE:Leap 15.4 / apache2-mod_jk

Package

Name
apache2-mod_jk
Purl
purl:rpm/suse/apache2-mod_jk&distro=openSUSE%20Leap%2015.4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.49-150100.6.6.1

Ecosystem specific

{
    "binaries": [
        {
            "apache2-mod_jk": "1.2.49-150100.6.6.1"
        }
    ]
}

openSUSE:Leap 15.5 / apache2-mod_jk

Package

Name
apache2-mod_jk
Purl
purl:rpm/suse/apache2-mod_jk&distro=openSUSE%20Leap%2015.5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.49-150100.6.6.1

Ecosystem specific

{
    "binaries": [
        {
            "apache2-mod_jk": "1.2.49-150100.6.6.1"
        }
    ]
}