Updated apache-mod_jk packages fix security vulnerability
Publication date: 13 Apr 2024Modification date: 13 Apr 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-41081
Description
The mod_jk component of Apache Tomcat Connectors in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker. Such an implicit mapping could result in the unintended exposure of the status worker and/or bypass security constraints configured in httpd. As of JK 1.2.49, the implicit mapping functionality has been removed and all mappings must now be via explicit configuration. (CVE-2023-41081)
References
SRPMS
9/core
- apache-mod_jk-1.2.49-1.mga9