Debian has issued an advisory on June 3: https://www.debian.org/security/2015/dsa-3278 Mageia 4 and Mageia 5 are affected. Debian has a patch and it's apparently fixed upstream in 1.2.41. Reproducible: Steps to Reproduce:
The packager who imported this is no longer with us and this is not required by anything. It's Java-related and could be dropped...
CC: (none) => geiger.david68210, pterjan
The RedHat bug also has a link to the upstream commit: https://bugzilla.redhat.com/show_bug.cgi?id=1182591#c6
Severity: normal => major
Whiteboard: (none) => MGA5TOO MGA4TOO
Dropped from Cauldron before the Mageia 5 release.
Version: Cauldron => 4Whiteboard: MGA5TOO MGA4TOO => (none)
CVE-2014-8111 now fixed for mga4, apache-mod_jk is submitted and uploaded on core/updates_testing adding patch from Debian.
Thanks David! Advisory: ======================== Updated apache-mod_jk packages fix security vulnerability: An information disclosure flaw due to incorrect JkMount/JkUnmount directives processing was found in the Apache 2 module mod_jk to forward requests from the Apache web server to Tomcat. A JkUnmount rule for a subtree of a previous JkMount rule could be ignored. This could allow a remote attacker to potentially access a private artifact in a tree that would otherwise not be accessible to them (CVE-2014-8111). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8111 https://www.debian.org/security/2015/dsa-3278 ======================== Updated packages in core/updates_testing: ======================== apache-mod_jk-1.2.37-6.1.mga4 apache-mod_jk-manual-1.2.37-6.1.mga4 apache-mod_jk-tools-1.2.37-6.1.mga4 from apache-mod_jk-1.2.37-6.1.mga4.src.rpm
Assignee: dmorganec => qa-bugs
MGA4-64 on HP Probook 6555b KDE No installation issues. There seems to be something missing by just adding this mod to a default http installation. at CLI: > systemctl start httpd.service Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details. and > systemctl -l status httpd.service httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled) Active: failed (Result: exit-code) since vr 2015-06-19 10:36:15 CEST; 4min 17s ago Process: 12553 ExecStop=/usr/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS) Process: 12551 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE) Main PID: 12551 (code=exited, status=1/FAILURE) jun 19 10:36:15 <FQDN> httpd[12551]: httpd: Syntax error on line 54 of /etc/httpd/conf/httpd.conf: Syntax error on line 22 of /etc/httpd/conf/modules.d/10_mod_jk.conf: Cannot load extramodules/mod_jk.so into server: /etc/httpd/extramodules/mod_jk.so: cannot open shared object file: No such file or directory jun 19 10:36:15 <FQDN> systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE jun 19 10:36:15 <FQDN> systemd[1]: Failed to start The Apache HTTP Server. jun 19 10:36:15 <FQDN> systemd[1]: Unit httpd.service entered failed state.
CC: (none) => herman.viaene
Thanks. The config for this one was never fixed when we converted to Apache 2.4 and moved everything from extramodules to modules. I'll check in a fix once SVN is re-opened.
apache-mod_jk-1.2.37-6.2.mga4.src.rpm and associated packages are on their way.
MGA4-32 on AcerD620 Xfce. No installation issues. httpd start normally after adding the packages. Testcase??? MGA5-64 on HP Probook 6555b KDE No package available for this version.
In VirtualBox, M4, KDE, 32-bit Package(s) under test: apache-mod_jk apache-mod_jk-manual apache-mod_jk-tools default install of apache-mod_jk apache-mod_jk-manual apache-mod_jk-tools [root@localhost wilcal]# urpmi apache-mod_jk Package apache-mod_jk-1.2.37-6.mga4.i586 is already installed [root@localhost wilcal]# urpmi apache-mod_jk-manual Package apache-mod_jk-manual-1.2.37-6.mga4.i586 is already installed [root@localhost wilcal]# urpmi apache-mod_jk-tools Package apache-mod_jk-tools-1.2.37-6.mga4.i586 is already installed apache-mod_jk packages all install cleanly install apache-mod_jk packages from updates_testing [root@localhost wilcal]# urpmi apache-mod_jk Package apache-mod_jk-1.2.37-6.2.mga4.i586 is already installed [root@localhost wilcal]# urpmi apache-mod_jk-manual Package apache-mod_jk-manual-1.2.37-6.2.mga4.i586 is already installed [root@localhost wilcal]# urpmi apache-mod_jk-tools Package apache-mod_jk-tools-1.2.37-6.2.mga4.i586 is already installed apache-mod_jk packages all update cleanly and without error Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.26-1.mga4.x86_64 virtualbox-guest-additions-4.3.26-1.mga4.x86_64
CC: (none) => wilcal.int
Whiteboard: (none) => MGA4-32-OK
In VirtualBox, M4, KDE, 64-bit Package(s) under test: apache-mod_jk apache-mod_jk-manual apache-mod_jk-tools default install of apache-mod_jk apache-mod_jk-manual apache-mod_jk-tools [root@localhost wilcal]# urpmi apache-mod_jk Package apache-mod_jk-1.2.37-6.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_jk-manual Package apache-mod_jk-manual-1.2.37-6.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_jk-tools Package apache-mod_jk-tools-1.2.37-6.mga4.x86_64 is already installed apache-mod_jk packages all install cleanly install apache-mod_jk packages from updates_testing [root@localhost wilcal]# urpmi apache-mod_jk Package apache-mod_jk-1.2.37-6.2.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_jk-manual Package apache-mod_jk-manual-1.2.37-6.2.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi apache-mod_jk-tools Package apache-mod_jk-tools-1.2.37-6.2.mga4.x86_64 is already installed apache-mod_jk packages all update cleanly and without error Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.26-1.mga4.x86_64 virtualbox-guest-additions-4.3.26-1.mga4.x86_64
Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK
Lets push this one along. Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
(In reply to Herman Viaene from comment #9) > MGA4-32 on AcerD620 Xfce. > No installation issues. > httpd start normally after adding the packages. > Testcase??? Usually for these apache modules we run "httpd -M" and make sure the module shows up in the output. > MGA5-64 on HP Probook 6555b KDE > No package available for this version. This update is only for Mageia 4, as you can see in the version field.
Advisory committed to svn. Someone from the sysadmin team please push 16078.adv to updates for Mageia 4.
CC: (none) => davidwhodginsWhiteboard: MGA4-32-OK MGA4-64-OK => MGA4-32-OK MGA4-64-OK advisory
Advisory lists apache-mod_jk-1.2.37-6.1.mga4 instead of apache-mod_jk-1.2.37-6.2.mga4, fixing.
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0254.html
Status: NEW => RESOLVEDResolution: (none) => FIXED