SUSE has issued an advisory on April 10: https://lwn.net/Articles/969302/ The problem is fixed in version 1.2.49. Mageia 9 is also affected.
Status comment: (none) => Fixed upstream in 1.2.49Whiteboard: (none) => MGA9TOOCVE: (none) => CVE-2023-41081Source RPM: (none) => apache-mod_jk-1.2.48-1.mga9.src.rpm
Little activity on this, no one packager evident, so assigning globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: The mod_jk component of Apache Tomcat Connectors in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker. Such an implicit mapping could result in the unintended exposure of the status worker and/or bypass security constraints configured in httpd. As of JK 1.2.49, the implicit mapping functionality has been removed and all mappings must now be via explicit configuration. (CVE-2023-41081) References: https://lwn.net/Articles/969302/ ======================== Updated packages in core/updates_testing: ======================== apache-mod_jk-1.2.49-1.mga9 apache-mod_jk-manual-1.2.49-1.mga9 apache-mod_jk-tools-1.2.49-1.mga9 from SRPM: apache-mod_jk-1.2.49-1.mga9.src.rpm
Status: NEW => ASSIGNEDVersion: Cauldron => 9Whiteboard: MGA9TOO => (none)Status comment: Fixed upstream in 1.2.49 => (none)Assignee: pkg-bugs => qa-bugs
Keywords: (none) => advisory
MGA9-64 Plasma Wayland on HP-Pavillion No installation issues. Ref bug 16078 for testing # systemctl start httpd # systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; preset: disabled) Active: active (running) since Sat 2024-04-13 11:34:48 CEST; 14s ago Main PID: 97529 (/usr/sbin/httpd) Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec: 0 B/sec" Tasks: 11 (limit: 4495) Memory: 47.7M CPU: 678ms CGroup: /system.slice/httpd.service ├─97529 /usr/sbin/httpd -DFOREGROUND ├─97849 /usr/sbin/httpd -DFOREGROUND ├─97852 /usr/sbin/httpd -DFOREGROUND ├─97854 /usr/sbin/httpd -DFOREGROUND ├─97858 /usr/sbin/httpd -DFOREGROUND └─97861 /usr/sbin/httpd -DFOREGROUND Apr 13 11:34:48 mach4.hviaene.thuis systemd[1]: Starting httpd.service... Apr 13 11:34:48 mach4.hviaene.thuis systemd[1]: Started httpd.service. # systemctl stop httpd # httpd -M Loaded Modules: gives a long list, so used # httpd -M | grep jk jk_module (shared) Looks OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA9-64-OK
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0130.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED