apache2-mod_jk-1.2.48-2.9 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10625-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z apache2-mod_jk-1.2.48-2.9 on GA media These are all security issues fixed in the apache2-mod_jk-1.2.48-2.9 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10625 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2007-0774/ SUSE CVE CVE-2007-0774 page https://www.suse.com/security/cve/CVE-2018-11759/ SUSE CVE CVE-2018-11759 page https://www.suse.com/security/cve/CVE-2018-1323/ SUSE CVE CVE-2018-1323 page openSUSE Tumbleweed apache2-mod_jk-1.2.48-2.9 apache2-mod_jk-1.2.48-2.9 as a component of openSUSE Tumbleweed Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map.c) in mod_jk.so for Apache Tomcat JK Web Server Connector 1.2.19 and 1.2.20, as used in Tomcat 4.1.34 and 5.5.20, allows remote attackers to execute arbitrary code via a long URL that triggers the overflow in a URI worker map routine. CVE-2007-0774 openSUSE Tumbleweed:apache2-mod_jk-1.2.48-2.9 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-0774.html CVE-2007-0774 https://bugzilla.suse.com/248157 SUSE Bug 248157 The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical. CVE-2018-11759 openSUSE Tumbleweed:apache2-mod_jk-1.2.48-2.9 important 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-11759.html CVE-2018-11759 https://bugzilla.suse.com/1114612 SUSE Bug 1114612 The IIS/ISAPI specific code in the Apache Tomcat JK ISAPI Connector 1.2.0 to 1.2.42 that normalised the requested path before matching it to the URI-worker map did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via IIS, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing Tomcat via the reverse proxy. CVE-2018-1323 openSUSE Tumbleweed:apache2-mod_jk-1.2.48-2.9 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-1323.html CVE-2018-1323 https://bugzilla.suse.com/1085220 SUSE Bug 1085220 https://bugzilla.suse.com/1114612 SUSE Bug 1114612