Advisories » MGASA-2024-0130

Updated apache-mod_jk packages fix security vulnerability

Publication date: 13 Apr 2024
Modification date: 13 Apr 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-41081

Description

The mod_jk component of Apache Tomcat Connectors in some circumstances,
such as when a configuration included "JkOptions +ForwardDirectories"
but the configuration did not provide explicit mounts for all possible
proxied requests, mod_jk would use an implicit mapping and map the
request to the first defined worker. Such an implicit mapping could
result in the unintended exposure of the status worker and/or bypass
security constraints configured in httpd. As of JK 1.2.49, the implicit
mapping functionality has been removed and all mappings must now be via
explicit configuration. (CVE-2023-41081)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=33083
• https://lwn.net/Articles/969302/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41081

SRPMS

9/core

• apache-mod_jk-1.2.49-1.mga9