Change log for libapache-mod-jk package in Debian

libapache-mod-jk (1:1.2.48-1+deb11u1) bullseye; urgency=high

  * Fix CVE-2023-41081:
    The mod_jk component of Apache Tomcat Connectors, an Apache 2 module to
    forward requests from Apache to Tomcat, in some circumstances, such as when
    a configuration included "JkOptions +ForwardDirectories" but the
    configuration did not provide explicit mounts for all possible proxied
    requests, mod_jk would use an implicit mapping and map the request to the
    first defined worker. Such an implicit mapping could result in the
    unintended exposure of the status worker and/or bypass security constraints
    configured in httpd. As of this security update, the implicit mapping
    functionality has been removed and all mappings must now be via explicit
    configuration. This issue affects Apache Tomcat Connectors (mod_jk only).
    (Closes: #1051956)

 -- Markus Koschany <email address hidden>  Sun, 24 Sep 2023 17:09:51 +0200

libapache-mod-jk (1:1.2.48-2+deb12u1) bookworm; urgency=high

  * Fix CVE-2023-41081:
    The mod_jk component of Apache Tomcat Connectors, an Apache 2 module to
    forward requests from Apache to Tomcat, in some circumstances, such as when
    a configuration included "JkOptions +ForwardDirectories" but the
    configuration did not provide explicit mounts for all possible proxied
    requests, mod_jk would use an implicit mapping and map the request to the
    first defined worker. Such an implicit mapping could result in the
    unintended exposure of the status worker and/or bypass security constraints
    configured in httpd. As of this security update, the implicit mapping
    functionality has been removed and all mappings must now be via explicit
    configuration. This issue affects Apache Tomcat Connectors (mod_jk only).
    (Closes: #1051956)

 -- Markus Koschany <email address hidden>  Sun, 24 Sep 2023 16:40:59 +0200

libapache-mod-jk (1:1.2.49-1) unstable; urgency=high

  * New upstream version 1.2.49.
    - Fix CVE-2023-41081:
      The mod_jk component of Apache Tomcat Connectors in some circumstances,
      such as when a configuration included "JkOptions +ForwardDirectories" but
      the configuration did not provide explicit mounts for all possible
      proxied requests, mod_jk would use an implicit mapping and map the
      request to the first defined worker. Such an implicit mapping could
      result in the unintended exposure of the status worker and/or bypass
      security constraints configured in httpd. As of JK 1.2.49, the implicit
      mapping functionality has been removed and all mappings must now be via
      explicit configuration. (Closes: #1051956)
      Thanks to Salvatore Bonaccorso for the report.

 -- Markus Koschany <email address hidden>  Fri, 15 Sep 2023 00:25:01 +0200

Available diffs

• diff from 1:1.2.48-2 to 1:1.2.49-1 (2.0 MiB)

libapache-mod-jk (1:1.2.48-2) unstable; urgency=medium

  * Declare compliance with Debian Policy 4.6.2.
  * Suggest tomcat10 instead of tomcat9.

 -- Markus Koschany <email address hidden>  Sat, 18 Feb 2023 19:17:18 +0100

Available diffs

• diff from 1:1.2.48-1 to 1:1.2.48-2 (996 bytes)

libapache-mod-jk (1:1.2.46-1+deb10u1) buster; urgency=medium

  * Rename httpd-jk.conf to jk.conf to restore compatibility with Debian's Apache
    helpers a2enmod and a2dismod. (Closes: #928813)

 -- Markus Koschany <email address hidden>  Thu, 04 Jun 2020 21:18:07 +0200

libapache-mod-jk (1:1.2.48-1) unstable; urgency=medium

  * New upstream version 1.2.48.
  * Switch to debhelper-compat = 13.
  * Declare compliance with Debian Policy 4.5.0.
  * Use canonical VCS URI.
  * Suggest only the most recent version of tomcat.
  * Build-depend on default-jdk and ant to build the documentation.
  * Change the logic for building the documentation from source. Use ant.
  * Install the NOTICE file.
  * Drop 0001-disable-logo.patch and fix-privacy-breach.patch. Fixed upstream.

 -- Markus Koschany <email address hidden>  Thu, 04 Jun 2020 21:42:29 +0200

Available diffs

• diff from 1:1.2.46-2 to 1:1.2.48-1 (376.2 KiB)

libapache-mod-jk (1:1.2.46-2) unstable; urgency=medium

  * Rename httpd-jk.conf to jk.conf to restore compatibility with Debian's
    Apache helpers a2enmod and a2dismod. (Closes: #928813)

 -- Markus Koschany <email address hidden>  Wed, 27 May 2020 19:19:20 +0200

Available diffs

• diff from 1:1.2.46-1 to 1:1.2.46-2 (693 bytes)

libapache-mod-jk (1:1.2.46-0+deb9u1) stretch-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * New upstream version 1.2.46
    + CVE-2018-11759: fix information disclosure and privilege escalation

 -- Roberto C. Sanchez <email address hidden>  Sun, 18 Nov 2018 09:06:40 -0500

libapache-mod-jk (1:1.2.46-1) unstable; urgency=medium

  * New upstream version 1.2.46.
  * Update debian/watch, import upstream signing key and verify tarballs.

 -- Markus Koschany <email address hidden>  Sun, 14 Oct 2018 12:26:05 +0200

Available diffs

• diff from 1:1.2.43-1 to 1:1.2.46-1 (239.4 KiB)

libapache-mod-jk (1:1.2.44-3) unstable; urgency=medium

  * Remove conf/httpd-jk.conf from debian/clean to fix a FTBFS when building
    binary-arch target.

 -- Markus Koschany <email address hidden>  Sat, 06 Oct 2018 11:11:21 +0200

libapache-mod-jk (1:1.2.44-2) unstable; urgency=medium

  * Fix broken httpd-jk symlink.
    Thanks to Andreas Beckmann for the report. (Closes: #910160)

 -- Markus Koschany <email address hidden>  Wed, 03 Oct 2018 13:38:45 +0200

libapache-mod-jk (1:1.2.44-1) unstable; urgency=medium

  * New upstream version 1.2.44.
  * Declare compliance with Debian Policy 4.2.1.
  * Remove Damien Raude-Morvan from Uploaders. Add myself to Uploaders.
    (Closes: #889461)
  * Suggest alternative tomcat9 package.
  * Drop obsolete libapache2-mod-jk.NEWS.
  * Install new httpd-jk.conf file which follows Apache 2.4 syntax.
    (Closes: #786635)

 -- Markus Koschany <email address hidden>  Mon, 01 Oct 2018 19:15:34 +0200

libapache-mod-jk (1:1.2.43-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Standards-Version updated to 4.1.3
  * Switch to debhelper level 11

 -- Emmanuel Bourg <email address hidden>  Mon, 12 Mar 2018 16:22:30 +0100

Available diffs

• diff from 1:1.2.42-1 to 1:1.2.43-1 (598.7 KiB)

libapache-mod-jk (1:1.2.42-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 1.2.42.
  * Switch to compat level 10.
  * Remvove virtual package dh-apache2 from Build-Depends.
  * Declare compliance with Debian Policy 3.9.8.
  * Remove autotools-dev because we use compat 10 now.
  * Move the package to Git.

 -- Markus Koschany <email address hidden>  Sat, 08 Oct 2016 16:00:51 +0200

Available diffs

• diff from 1:1.2.41-1 to 1:1.2.42-1 (2.2 MiB)

libapache-mod-jk (1:1.2.41-1) unstable; urgency=medium

  * Team upload.
  * Imported Upstream version 1.2.41.
  * Drop README.source. We use regular upstream releases again.
  * Update get-orig-source target. Use --verbose and --download-current-version
    flags.
  * Drop disable-libtool-check.patch. Not required for normal releases.
  * Vcs-Browser: Use https.
  * Remove autoconf and automake from Build-Depends again.
  * Run wrap-and-sort -sa.
  * Add clean file and ensure libapache-mod-jk can be built twice in a row.
  * debian/rules: Remove override for dh_auto_clean.
  * Update debian/copyright for new release.

 -- Markus Koschany <email address hidden>  Fri, 30 Oct 2015 22:33:34 +0100

Available diffs

• diff from 1:1.2.40+svn150520-1 to 1:1.2.41-1 (672.3 KiB)

libapache-mod-jk (1:1.2.37-1+deb7u1) wheezy-security; urgency=high

  * Team upload.
  * Add CVE-2014-8111.patch. (Closes: #783233)
    It was discovered that a JkUnmount rule for a subtree of a previous JkMount
    rule could be ignored. This could allow a remote attacker to potentially
    access a private artifact in a tree that would otherwise not be accessible
    to them.
    - Add option to control handling of multiple adjacent slashes in mount and
      unmount. New default is collapsing the slashes only in unmount. Before
      this change, adjacent slashes were never collapsed, so most mounts and
      unmounts didn't match for URLs with multiple adjacent slashes.
    - Configuration is done via new JkOption for Apache (values
      "CollapseSlashesAll", "CollapseSlashesNone" or "CollapseSlashesUnmount").

 -- Markus Koschany <email address hidden>  Sat, 23 May 2015 23:33:30 +0200

libapache-mod-jk (1:1.2.37-4+deb8u1) jessie-security; urgency=high

  * Team upload.
  * Add CVE-2014-8111.patch. (Closes: #783233)
    It was discovered that a JkUnmount rule for a subtree of a previous JkMount
    rule could be ignored. This could allow a remote attacker to potentially
    access a private artifact in a tree that would otherwise not be accessible
    to them.
    - Add option to control handling of multiple adjacent slashes in mount and
      unmount. New default is collapsing the slashes only in unmount. Before
      this change, adjacent slashes were never collapsed, so most mounts and
      unmounts didn't match for URLs with multiple adjacent slashes.
    - Configuration is done via new JkOption for Apache
      (values "CollapseSlashesAll", "CollapseSlashesNone" or
      "CollapseSlashesUnmount").

 -- Markus Koschany <email address hidden>  Sat, 23 May 2015 01:16:37 +0200

libapache-mod-jk (1:1.2.40+svn150520-1) unstable; urgency=high

  * Team upload.
  * Imported Upstream SVN snapshot version 1.2.40+svn150520.
    - Fix CVE-2014-8111: (Closes: #783233)
      Apache Tomcat Connectors (mod_jk) ignored JkUnmount rules for subtrees of
      previous JkMount rules, which allows remote attackers to access otherwise
      restricted artifacts via unspecified vectors.
  * debian/control: Build-Depend on debhelper >= 9.
  * Remove source.lintian-overrides since we now build-depend on debhelper >=9.
  * Drop 0004-corrupted-worker-activation-status.patch. Fixed upstream.
  * debian/rules:
    - Disable sed command in debian/rules. Apparently not necessary for this
      release.
    - Run buildconf.sh before dh_auto_configure step since this is a requirement
      for building SVN snapshots.
    - Update dh_auto_clean override. Ensure that the package can be built twice
      in a row.
  * debian/control:
    - Add autoconf to Build-Depends.
    - Add automake to Build-Depends.
    - Remove Conflicts and Replaces fields because they are obsolete.
  * Add disable-libtool-check.patch and fix a FTBFS. We already build-depend on
    libtool but the script is not smart enough.
  * Add fix-privacy-breach.patch and fix lintian errors about "privacy breach
    logo".
  * Update debian/copyright information. Add missing BSD-3-clause license.
  * Add README.source.

 -- Markus Koschany <email address hidden>  Thu, 21 May 2015 17:53:24 +0200

Available diffs

• diff from 1:1.2.37-4 to 1:1.2.40+svn150520-1 (827.2 KiB)

libapache-mod-jk (1:1.2.37-4) unstable; urgency=medium


  * Team upload.
  * Switched to tomcat8 (Closes: #759624)
  * Standards-Version updated to 3.9.6 (no changes)

 -- Emmanuel Bourg <email address hidden>  Mon, 17 Nov 2014 14:52:23 +0100

Available diffs

• diff from 1:1.2.37-3 to 1:1.2.37-4 (878 bytes)

libapache-mod-jk (1:1.2.37-3) unstable; urgency=low


  * d/rules: Fix "Hardening CPPFLAGS missing" (Closes: #710809).
    Thanks to Simon Ruderich for providing patch.
  * d/patches/0004-corrupted-worker-activation-status.patch:
    Fix "Worker activation state corrupted when using jkmanager",
    Thanks to David Gubler for patch (Closes: #711934).

 -- Damien Raude-Morvan <email address hidden>  Mon, 12 Aug 2013 10:28:44 +0200

Available diffs

• diff from 1:1.2.37-2 to 1:1.2.37-3 (1.4 KiB)

libapache-mod-jk (1:1.2.37-2) unstable; urgency=low


  * Re-enable Apache 2.4 transition after wheezy release (Closes: #666851):
    - d/control: Add Build-Depends apache2-dev and dh-apache2.
    - d/rules: Call apache2 dh addon.
    - d/libapache2-mod-jk.{postinst,postrm}: Replace with
      d/libapache2-mod-jk.apache2.
    - d/control: Remove explicit Depends on apache2.2-common.
  * d/control: Bump Standards-Version to 3.9.4: no changes needed.
  * d/control: Use canonical URL for Vcs-* fields.

 -- Damien Raude-Morvan <email address hidden>  Sat, 01 Jun 2013 15:14:00 +0200

Available diffs

• diff from 1:1.2.37-1 to 1:1.2.37-2 (1.5 KiB)

libapache-mod-jk (1:1.2.37-1) unstable; urgency=low


  * New upstream release.

 -- Damien Raude-Morvan <email address hidden>  Sun, 03 Jun 2012 23:09:32 +0200

Available diffs

• diff from 1:1.2.36-1 to 1:1.2.37-1 (9.1 KiB)

libapache-mod-jk (1:1.2.36-1) unstable; urgency=low


  * New upstream release.
  * Revert Apache 2.4 transition (ie. just for wheezy release).
  * Refresh patches.

 -- Damien Raude-Morvan <email address hidden>  Fri, 18 May 2012 19:20:50 +0200

Available diffs

• diff from 1:1.2.32-2 to 1:1.2.36-1 (230.6 KiB)

libapache-mod-jk (1:1.2.35-1) experimental; urgency=low


  * New upstream release:
    - d/patches/0004-compiler-hardening.patch: Merged upstream.
  * d/rules: Just use dh_auto. No need to force using sub-directory as
    debhelper is doing it for us.
  * Prepare Apache 2.4 transition (Closes: #666851):
    - d/control: Add Build-Depends apache2-dev and dh-apache2.
    - d/rules: Call apache2 dh addon.
    - d/libapache2-mod-jk.{postinst,postrm}: Replace with
      d/libapache2-mod-jk.apache2.
    - d/control: Remove explicit Depends on apache2.2-common.
  * d/control: Bump Standards-Version to 3.9.3, no changes needed.
  * d/copyright: Upgrade to copyright-format 1.0.

 -- Damien Raude-Morvan <email address hidden>  Wed, 04 Apr 2012 22:32:12 +0200

libapache-mod-jk (1:1.2.32-2) unstable; urgency=low


  * Team upload.
  * Set debian/compat to 9; bump debhelper dependency to 8.1.3.
  * Modify debian/rules to enable hardening flags 
    and add patches/0004-compiler-hardening.patch (Closes: #656876)
  * Remove Michael Koch from Uploaders. (Closes: #654045)

 -- tony mancill <email address hidden>  Sat, 04 Feb 2012 07:17:54 +0000

Available diffs

• diff from 1:1.2.32-1 to 1:1.2.32-2 (1.5 KiB)

libapache-mod-jk (1:1.2.32-1) unstable; urgency=low
  * New upstream release:    - Fix whitespace trimming when parsing attribute lists. LP: #592576.  * Add myself in Uploaders.  * Include a sensible default configuration in    /etc/apache2/mods-available/jk.conf    and remove old sample in /usr/share/doc/libapache2-mod-jk/.    LP: #118649.  * Describe changes in upstream handling of JkMount in global scope    vs in VirtualHost scope (in d/README and default configuration).    Closes: #460398.  * Bump Standards-Version to 3.9.2:    - d/control: Add recommended get-orig-source target.  * d/watch: Update to new upstream layout.  * Refresh patches.  * d/copyright: Upgrade to DEP-5 format.  * d/README.source: Removed (aka dpatch one)  * d/libapache-mod-jk.*: Remove old traces from Apache 1.3    (dropped since lenny).  * d/rules: Switch to dh7 handling.  * d/compat: Switch to debhelper compat level 8.  * Replace d/patches/0004 by autotools_dev dh sequence addons.  * d/rules: Enable LFS with -D_FILE_OFFSET_BITS=64. Closes: #590075. -- Damien Raude-Morvan <email address hidden>  Thu, 14 Jul 2011 01:15:52 +0200

libapache-mod-jk (1:1.2.30-1squeeze1) stable; urgency=medium
  * Team upload.  * Fix issue with socket(2) syscall and SOCK_CLOEXEC flag affecting    upgrades from 1.2.26 to 1.2.30. (Closes: #609886). -- Miguel Landaeta <email address hidden>  Wed, 09 Feb 2011 23:07:41 -0500

libapache-mod-jk (1:1.2.31-1) unstable; urgency=low
  * Team upload.  * Bump debhelper compatibility level to 7.  * Bump Standards-Version to 3.9.1. No changes were required.  * Remove duplicated control fields in binary packages.  * Fix lintian warning about dh_clean -k deprecation.  * Update package section to httpd.  * Document in NEWS the minimal Linux version needed (>= 2.6.27) to use    this module. -- Miguel Landaeta <email address hidden>  Tue, 15 Feb 2011 09:29:23 -0430

libapache-mod-jk (1:1.2.30-1) unstable; urgency=low


  * Team upload
  * New upstream release
  * Convert patches to dep3 format.
  * Switch to source format 3.0.
  * Remove Stefan (Gybas) and Arnaud from Uploaders list. Thanks to your
    contribution in the past!
  * Add Vcs-* headers.
  * Add missing Depends: ${misc:Depends}. 
  * Update Standards-Version: 3.9.0 (no changes).
  * Update patch for config.guess and config.sub.
  * Switch to tomcat6 and default-java in workers.properties. Thanks to
    Olivier Berger. (Closes: #590078)

 -- Torsten Werner <email address hidden>  Sat, 24 Jul 2010 01:04:36 +0200

libapache-mod-jk (1:1.2.28-2) unstable; urgency=low


  * Added debian/patches/05_config_update.dpatch which updates
    config.{guess|sub} in native/scripts/build/unix/ (Closes: #540392).
  * debian/control: Let libapache2-mod-jk suggest tomcat6 instead of
    tomcat5.5.
  * Added debian/README.source.
  * Updated Standards-Version to 3.8.3.

 -- Michael Koch <email address hidden>  Thu, 20 Aug 2009 20:04:39 +0200

libapache-mod-jk (1:1.2.28-1) unstable; urgency=low


  * New upstream release.
    - Removed debian/patches/05_bug_451494.dpatch. Applied upstream.
    - Removed debian/patches/06_CVE-2008-5519.dpatch. Applied upstream.
  * Updated Build-Depends to debhelper (>= 5) as 4 is deprecated.
  * Link /usr/share/common-licenses/Apache-2.0 in debian/copgyright.
  * Updated Standards-Version to 3.8.2.

 -- Michael Koch <email address hidden>  Sat, 25 Jul 2009 23:08:41 +0200

libapache-mod-jk (1:1.2.26-2.1) unstable; urgency=high


  * Non-maintainer upload by the security-team.
  * CVE-2008-5519: Fix information disclosure vulnerability when clients
    abort connection before sending POST body (closes: #523054).

 -- Stefan Fritsch <email address hidden>  Sat, 30 May 2009 15:49:20 +0200

libapache-mod-jk (1:1.2.26-2+lenny1) stable-security; urgency=high


  * Non-maintainer upload by the security-team.
  * CVE-2008-5519: Fix information disclosure vulnerability when clients
    abort connection before sending POST body (closes: #523054).

 -- Stefan Fritsch <email address hidden>  Sun, 31 May 2009 20:33:52 +0200

libapache-mod-jk (1:1.2.26-2) unstable; urgency=low


  * Apply patch to fix JkOptions handling for virtual hosts. Thanks to
    Toshihiro Sasajima for the patch, Closes: #451494
  * Fixed debian/copyright to mention copyright and license properly.
  * debian/libapache-mod-jk-doc.doc-base: Moved to section
    System/Administration.
  * Remove unused lintian override for libapache-mod-jk-doc.

 -- Michael Koch <email address hidden>  Wed, 02 Apr 2008 23:09:41 +0200