Bug#425836: [CVE-2007-1860] A double encoded ".." in a URL can be used to access URLs on the AJP backend
Marco Nenciarini
mnencia at debian.org
Thu May 24 11:33:33 UTC 2007
Package: libapache2-mod-jk
Version: 1:1.2.22-1
Severity: grave
Tags: security
As stated at http://tomcat.apache.org/connectors-doc/ the 1.2.22
version of jk connector is affected from CVE-2007-1860
Please provide the 1.2.23 version.
Regards
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.18-4-686 (SMP w/2 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--
---------------------------------------------------------------------
| Marco Nenciarini | Debian/GNU Linux Developer - Plug Member |
| mnencia at prato.linux.it | http://www.prato.linux.it/~mnencia |
---------------------------------------------------------------------
Key fingerprint = FED9 69C7 9E67 21F5 7D95 5270 6864 730D F095 E5E4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20070524/7185100c/attachment-0001.pgp
More information about the pkg-java-maintainers
mailing list