Change log for libapache-mod-jk package in Debian
1 → 34 of 34 results | First • Previous • Next • Last |
Published in bullseye-release |
libapache-mod-jk (1:1.2.48-1+deb11u1) bullseye; urgency=high * Fix CVE-2023-41081: The mod_jk component of Apache Tomcat Connectors, an Apache 2 module to forward requests from Apache to Tomcat, in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker. Such an implicit mapping could result in the unintended exposure of the status worker and/or bypass security constraints configured in httpd. As of this security update, the implicit mapping functionality has been removed and all mappings must now be via explicit configuration. This issue affects Apache Tomcat Connectors (mod_jk only). (Closes: #1051956) -- Markus Koschany <email address hidden> Sun, 24 Sep 2023 17:09:51 +0200
Published in bookworm-release |
libapache-mod-jk (1:1.2.48-2+deb12u1) bookworm; urgency=high * Fix CVE-2023-41081: The mod_jk component of Apache Tomcat Connectors, an Apache 2 module to forward requests from Apache to Tomcat, in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker. Such an implicit mapping could result in the unintended exposure of the status worker and/or bypass security constraints configured in httpd. As of this security update, the implicit mapping functionality has been removed and all mappings must now be via explicit configuration. This issue affects Apache Tomcat Connectors (mod_jk only). (Closes: #1051956) -- Markus Koschany <email address hidden> Sun, 24 Sep 2023 16:40:59 +0200
Published in sid-release |
libapache-mod-jk (1:1.2.49-1) unstable; urgency=high * New upstream version 1.2.49. - Fix CVE-2023-41081: The mod_jk component of Apache Tomcat Connectors in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker. Such an implicit mapping could result in the unintended exposure of the status worker and/or bypass security constraints configured in httpd. As of JK 1.2.49, the implicit mapping functionality has been removed and all mappings must now be via explicit configuration. (Closes: #1051956) Thanks to Salvatore Bonaccorso for the report. -- Markus Koschany <email address hidden> Fri, 15 Sep 2023 00:25:01 +0200
Available diffs
- diff from 1:1.2.48-2 to 1:1.2.49-1 (2.0 MiB)
libapache-mod-jk (1:1.2.48-2) unstable; urgency=medium * Declare compliance with Debian Policy 4.6.2. * Suggest tomcat10 instead of tomcat9. -- Markus Koschany <email address hidden> Sat, 18 Feb 2023 19:17:18 +0100
Available diffs
- diff from 1:1.2.48-1 to 1:1.2.48-2 (996 bytes)
Published in buster-release |
libapache-mod-jk (1:1.2.46-1+deb10u1) buster; urgency=medium * Rename httpd-jk.conf to jk.conf to restore compatibility with Debian's Apache helpers a2enmod and a2dismod. (Closes: #928813) -- Markus Koschany <email address hidden> Thu, 04 Jun 2020 21:18:07 +0200
libapache-mod-jk (1:1.2.48-1) unstable; urgency=medium * New upstream version 1.2.48. * Switch to debhelper-compat = 13. * Declare compliance with Debian Policy 4.5.0. * Use canonical VCS URI. * Suggest only the most recent version of tomcat. * Build-depend on default-jdk and ant to build the documentation. * Change the logic for building the documentation from source. Use ant. * Install the NOTICE file. * Drop 0001-disable-logo.patch and fix-privacy-breach.patch. Fixed upstream. -- Markus Koschany <email address hidden> Thu, 04 Jun 2020 21:42:29 +0200
Available diffs
- diff from 1:1.2.46-2 to 1:1.2.48-1 (376.2 KiB)
Superseded in sid-release |
libapache-mod-jk (1:1.2.46-2) unstable; urgency=medium * Rename httpd-jk.conf to jk.conf to restore compatibility with Debian's Apache helpers a2enmod and a2dismod. (Closes: #928813) -- Markus Koschany <email address hidden> Wed, 27 May 2020 19:19:20 +0200
Available diffs
- diff from 1:1.2.46-1 to 1:1.2.46-2 (693 bytes)
Published in stretch-release |
libapache-mod-jk (1:1.2.46-0+deb9u1) stretch-security; urgency=high * Non-maintainer upload by the Security Team. * New upstream version 1.2.46 + CVE-2018-11759: fix information disclosure and privilege escalation -- Roberto C. Sanchez <email address hidden> Sun, 18 Nov 2018 09:06:40 -0500
libapache-mod-jk (1:1.2.46-1) unstable; urgency=medium * New upstream version 1.2.46. * Update debian/watch, import upstream signing key and verify tarballs. -- Markus Koschany <email address hidden> Sun, 14 Oct 2018 12:26:05 +0200
Available diffs
- diff from 1:1.2.43-1 to 1:1.2.46-1 (239.4 KiB)
libapache-mod-jk (1:1.2.44-3) unstable; urgency=medium * Remove conf/httpd-jk.conf from debian/clean to fix a FTBFS when building binary-arch target. -- Markus Koschany <email address hidden> Sat, 06 Oct 2018 11:11:21 +0200
Superseded in sid-release |
libapache-mod-jk (1:1.2.44-2) unstable; urgency=medium * Fix broken httpd-jk symlink. Thanks to Andreas Beckmann for the report. (Closes: #910160) -- Markus Koschany <email address hidden> Wed, 03 Oct 2018 13:38:45 +0200
Superseded in sid-release |
libapache-mod-jk (1:1.2.44-1) unstable; urgency=medium * New upstream version 1.2.44. * Declare compliance with Debian Policy 4.2.1. * Remove Damien Raude-Morvan from Uploaders. Add myself to Uploaders. (Closes: #889461) * Suggest alternative tomcat9 package. * Drop obsolete libapache2-mod-jk.NEWS. * Install new httpd-jk.conf file which follows Apache 2.4 syntax. (Closes: #786635) -- Markus Koschany <email address hidden> Mon, 01 Oct 2018 19:15:34 +0200
libapache-mod-jk (1:1.2.43-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches * Standards-Version updated to 4.1.3 * Switch to debhelper level 11 -- Emmanuel Bourg <email address hidden> Mon, 12 Mar 2018 16:22:30 +0100
Available diffs
- diff from 1:1.2.42-1 to 1:1.2.43-1 (598.7 KiB)
libapache-mod-jk (1:1.2.42-1) unstable; urgency=medium * Team upload. * New upstream version 1.2.42. * Switch to compat level 10. * Remvove virtual package dh-apache2 from Build-Depends. * Declare compliance with Debian Policy 3.9.8. * Remove autotools-dev because we use compat 10 now. * Move the package to Git. -- Markus Koschany <email address hidden> Sat, 08 Oct 2016 16:00:51 +0200
Available diffs
- diff from 1:1.2.41-1 to 1:1.2.42-1 (2.2 MiB)
libapache-mod-jk (1:1.2.41-1) unstable; urgency=medium * Team upload. * Imported Upstream version 1.2.41. * Drop README.source. We use regular upstream releases again. * Update get-orig-source target. Use --verbose and --download-current-version flags. * Drop disable-libtool-check.patch. Not required for normal releases. * Vcs-Browser: Use https. * Remove autoconf and automake from Build-Depends again. * Run wrap-and-sort -sa. * Add clean file and ensure libapache-mod-jk can be built twice in a row. * debian/rules: Remove override for dh_auto_clean. * Update debian/copyright for new release. -- Markus Koschany <email address hidden> Fri, 30 Oct 2015 22:33:34 +0100
Available diffs
- diff from 1:1.2.40+svn150520-1 to 1:1.2.41-1 (672.3 KiB)
Published in wheezy-release |
libapache-mod-jk (1:1.2.37-1+deb7u1) wheezy-security; urgency=high * Team upload. * Add CVE-2014-8111.patch. (Closes: #783233) It was discovered that a JkUnmount rule for a subtree of a previous JkMount rule could be ignored. This could allow a remote attacker to potentially access a private artifact in a tree that would otherwise not be accessible to them. - Add option to control handling of multiple adjacent slashes in mount and unmount. New default is collapsing the slashes only in unmount. Before this change, adjacent slashes were never collapsed, so most mounts and unmounts didn't match for URLs with multiple adjacent slashes. - Configuration is done via new JkOption for Apache (values "CollapseSlashesAll", "CollapseSlashesNone" or "CollapseSlashesUnmount"). -- Markus Koschany <email address hidden> Sat, 23 May 2015 23:33:30 +0200
Published in jessie-release |
libapache-mod-jk (1:1.2.37-4+deb8u1) jessie-security; urgency=high * Team upload. * Add CVE-2014-8111.patch. (Closes: #783233) It was discovered that a JkUnmount rule for a subtree of a previous JkMount rule could be ignored. This could allow a remote attacker to potentially access a private artifact in a tree that would otherwise not be accessible to them. - Add option to control handling of multiple adjacent slashes in mount and unmount. New default is collapsing the slashes only in unmount. Before this change, adjacent slashes were never collapsed, so most mounts and unmounts didn't match for URLs with multiple adjacent slashes. - Configuration is done via new JkOption for Apache (values "CollapseSlashesAll", "CollapseSlashesNone" or "CollapseSlashesUnmount"). -- Markus Koschany <email address hidden> Sat, 23 May 2015 01:16:37 +0200
libapache-mod-jk (1:1.2.40+svn150520-1) unstable; urgency=high * Team upload. * Imported Upstream SVN snapshot version 1.2.40+svn150520. - Fix CVE-2014-8111: (Closes: #783233) Apache Tomcat Connectors (mod_jk) ignored JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified vectors. * debian/control: Build-Depend on debhelper >= 9. * Remove source.lintian-overrides since we now build-depend on debhelper >=9. * Drop 0004-corrupted-worker-activation-status.patch. Fixed upstream. * debian/rules: - Disable sed command in debian/rules. Apparently not necessary for this release. - Run buildconf.sh before dh_auto_configure step since this is a requirement for building SVN snapshots. - Update dh_auto_clean override. Ensure that the package can be built twice in a row. * debian/control: - Add autoconf to Build-Depends. - Add automake to Build-Depends. - Remove Conflicts and Replaces fields because they are obsolete. * Add disable-libtool-check.patch and fix a FTBFS. We already build-depend on libtool but the script is not smart enough. * Add fix-privacy-breach.patch and fix lintian errors about "privacy breach logo". * Update debian/copyright information. Add missing BSD-3-clause license. * Add README.source. -- Markus Koschany <email address hidden> Thu, 21 May 2015 17:53:24 +0200
Available diffs
- diff from 1:1.2.37-4 to 1:1.2.40+svn150520-1 (827.2 KiB)
libapache-mod-jk (1:1.2.37-4) unstable; urgency=medium * Team upload. * Switched to tomcat8 (Closes: #759624) * Standards-Version updated to 3.9.6 (no changes) -- Emmanuel Bourg <email address hidden> Mon, 17 Nov 2014 14:52:23 +0100
Available diffs
- diff from 1:1.2.37-3 to 1:1.2.37-4 (878 bytes)
libapache-mod-jk (1:1.2.37-3) unstable; urgency=low * d/rules: Fix "Hardening CPPFLAGS missing" (Closes: #710809). Thanks to Simon Ruderich for providing patch. * d/patches/0004-corrupted-worker-activation-status.patch: Fix "Worker activation state corrupted when using jkmanager", Thanks to David Gubler for patch (Closes: #711934). -- Damien Raude-Morvan <email address hidden> Mon, 12 Aug 2013 10:28:44 +0200
Available diffs
- diff from 1:1.2.37-2 to 1:1.2.37-3 (1.4 KiB)
libapache-mod-jk (1:1.2.37-2) unstable; urgency=low * Re-enable Apache 2.4 transition after wheezy release (Closes: #666851): - d/control: Add Build-Depends apache2-dev and dh-apache2. - d/rules: Call apache2 dh addon. - d/libapache2-mod-jk.{postinst,postrm}: Replace with d/libapache2-mod-jk.apache2. - d/control: Remove explicit Depends on apache2.2-common. * d/control: Bump Standards-Version to 3.9.4: no changes needed. * d/control: Use canonical URL for Vcs-* fields. -- Damien Raude-Morvan <email address hidden> Sat, 01 Jun 2013 15:14:00 +0200
Available diffs
- diff from 1:1.2.37-1 to 1:1.2.37-2 (1.5 KiB)
libapache-mod-jk (1:1.2.37-1) unstable; urgency=low * New upstream release. -- Damien Raude-Morvan <email address hidden> Sun, 03 Jun 2012 23:09:32 +0200
Available diffs
- diff from 1:1.2.36-1 to 1:1.2.37-1 (9.1 KiB)
libapache-mod-jk (1:1.2.36-1) unstable; urgency=low * New upstream release. * Revert Apache 2.4 transition (ie. just for wheezy release). * Refresh patches. -- Damien Raude-Morvan <email address hidden> Fri, 18 May 2012 19:20:50 +0200
Available diffs
- diff from 1:1.2.32-2 to 1:1.2.36-1 (230.6 KiB)
Deleted in experimental-release (Reason: None provided.) |
libapache-mod-jk (1:1.2.35-1) experimental; urgency=low * New upstream release: - d/patches/0004-compiler-hardening.patch: Merged upstream. * d/rules: Just use dh_auto. No need to force using sub-directory as debhelper is doing it for us. * Prepare Apache 2.4 transition (Closes: #666851): - d/control: Add Build-Depends apache2-dev and dh-apache2. - d/rules: Call apache2 dh addon. - d/libapache2-mod-jk.{postinst,postrm}: Replace with d/libapache2-mod-jk.apache2. - d/control: Remove explicit Depends on apache2.2-common. * d/control: Bump Standards-Version to 3.9.3, no changes needed. * d/copyright: Upgrade to copyright-format 1.0. -- Damien Raude-Morvan <email address hidden> Wed, 04 Apr 2012 22:32:12 +0200
libapache-mod-jk (1:1.2.32-2) unstable; urgency=low * Team upload. * Set debian/compat to 9; bump debhelper dependency to 8.1.3. * Modify debian/rules to enable hardening flags and add patches/0004-compiler-hardening.patch (Closes: #656876) * Remove Michael Koch from Uploaders. (Closes: #654045) -- tony mancill <email address hidden> Sat, 04 Feb 2012 07:17:54 +0000
Available diffs
- diff from 1:1.2.32-1 to 1:1.2.32-2 (1.5 KiB)
libapache-mod-jk (1:1.2.32-1) unstable; urgency=low * New upstream release: - Fix whitespace trimming when parsing attribute lists. LP: #592576. * Add myself in Uploaders. * Include a sensible default configuration in /etc/apache2/mods-available/jk.conf and remove old sample in /usr/share/doc/libapache2-mod-jk/. LP: #118649. * Describe changes in upstream handling of JkMount in global scope vs in VirtualHost scope (in d/README and default configuration). Closes: #460398. * Bump Standards-Version to 3.9.2: - d/control: Add recommended get-orig-source target. * d/watch: Update to new upstream layout. * Refresh patches. * d/copyright: Upgrade to DEP-5 format. * d/README.source: Removed (aka dpatch one) * d/libapache-mod-jk.*: Remove old traces from Apache 1.3 (dropped since lenny). * d/rules: Switch to dh7 handling. * d/compat: Switch to debhelper compat level 8. * Replace d/patches/0004 by autotools_dev dh sequence addons. * d/rules: Enable LFS with -D_FILE_OFFSET_BITS=64. Closes: #590075. -- Damien Raude-Morvan <email address hidden> Thu, 14 Jul 2011 01:15:52 +0200
Published in squeeze-release |
libapache-mod-jk (1:1.2.30-1squeeze1) stable; urgency=medium * Team upload. * Fix issue with socket(2) syscall and SOCK_CLOEXEC flag affecting upgrades from 1.2.26 to 1.2.30. (Closes: #609886). -- Miguel Landaeta <email address hidden> Wed, 09 Feb 2011 23:07:41 -0500
libapache-mod-jk (1:1.2.31-1) unstable; urgency=low * Team upload. * Bump debhelper compatibility level to 7. * Bump Standards-Version to 3.9.1. No changes were required. * Remove duplicated control fields in binary packages. * Fix lintian warning about dh_clean -k deprecation. * Update package section to httpd. * Document in NEWS the minimal Linux version needed (>= 2.6.27) to use this module. -- Miguel Landaeta <email address hidden> Tue, 15 Feb 2011 09:29:23 -0430
libapache-mod-jk (1:1.2.30-1) unstable; urgency=low * Team upload * New upstream release * Convert patches to dep3 format. * Switch to source format 3.0. * Remove Stefan (Gybas) and Arnaud from Uploaders list. Thanks to your contribution in the past! * Add Vcs-* headers. * Add missing Depends: ${misc:Depends}. * Update Standards-Version: 3.9.0 (no changes). * Update patch for config.guess and config.sub. * Switch to tomcat6 and default-java in workers.properties. Thanks to Olivier Berger. (Closes: #590078) -- Torsten Werner <email address hidden> Sat, 24 Jul 2010 01:04:36 +0200
libapache-mod-jk (1:1.2.28-2) unstable; urgency=low * Added debian/patches/05_config_update.dpatch which updates config.{guess|sub} in native/scripts/build/unix/ (Closes: #540392). * debian/control: Let libapache2-mod-jk suggest tomcat6 instead of tomcat5.5. * Added debian/README.source. * Updated Standards-Version to 3.8.3. -- Michael Koch <email address hidden> Thu, 20 Aug 2009 20:04:39 +0200
libapache-mod-jk (1:1.2.28-1) unstable; urgency=low * New upstream release. - Removed debian/patches/05_bug_451494.dpatch. Applied upstream. - Removed debian/patches/06_CVE-2008-5519.dpatch. Applied upstream. * Updated Build-Depends to debhelper (>= 5) as 4 is deprecated. * Link /usr/share/common-licenses/Apache-2.0 in debian/copgyright. * Updated Standards-Version to 3.8.2. -- Michael Koch <email address hidden> Sat, 25 Jul 2009 23:08:41 +0200
libapache-mod-jk (1:1.2.26-2.1) unstable; urgency=high * Non-maintainer upload by the security-team. * CVE-2008-5519: Fix information disclosure vulnerability when clients abort connection before sending POST body (closes: #523054). -- Stefan Fritsch <email address hidden> Sat, 30 May 2009 15:49:20 +0200
Published in lenny-release |
libapache-mod-jk (1:1.2.26-2+lenny1) stable-security; urgency=high * Non-maintainer upload by the security-team. * CVE-2008-5519: Fix information disclosure vulnerability when clients abort connection before sending POST body (closes: #523054). -- Stefan Fritsch <email address hidden> Sun, 31 May 2009 20:33:52 +0200
Superseded in sid-release |
Superseded in squeeze-release |
Superseded in squeeze-release |
Superseded in sid-release |
Superseded in lenny-release |
libapache-mod-jk (1:1.2.26-2) unstable; urgency=low * Apply patch to fix JkOptions handling for virtual hosts. Thanks to Toshihiro Sasajima for the patch, Closes: #451494 * Fixed debian/copyright to mention copyright and license properly. * debian/libapache-mod-jk-doc.doc-base: Moved to section System/Administration. * Remove unused lintian override for libapache-mod-jk-doc. -- Michael Koch <email address hidden> Wed, 02 Apr 2008 23:09:41 +0200
1 → 34 of 34 results | First • Previous • Next • Last |