SUSE-SU-2025:0102-1

Опубликовано: 14 янв. 2025

Источник: suse-cvrf

Описание

Security update for apache2-mod_jk

This update for apache2-mod_jk fixes the following issues:

Update to version 1.2.50:
CVE-2024-46544: Fixed incorrect default permissions vulnerabilitymay that could lead to information disclosure and/or denial of service. (bsc#1230916)
CVE-2023-41081: Fixed information disclosure in mod_jk. (bsc#1215301)

Список пакетов

SUSE Linux Enterprise Module for Server Applications 15 SP6

apache2-mod_jk-1.2.50-150100.6.12.1

openSUSE Leap 15.6

apache2-mod_jk-1.2.50-150100.6.12.1

Ссылки

https://www.suse.com/support/update/announcement/2025/suse-su-20250102-1/
Link for SUSE-SU-2025:0102-1
https://lists.suse.com/pipermail/sle-security-updates/2025-January/020119.html
E-Mail link for SUSE-SU-2025:0102-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1215301
SUSE Bug 1215301
https://bugzilla.suse.com/1230916
SUSE Bug 1230916
https://www.suse.com/security/cve/CVE-2023-41081/
SUSE CVE CVE-2023-41081 page
https://www.suse.com/security/cve/CVE-2024-46544/
SUSE CVE CVE-2024-46544 page

Описание

Important: Authentication Bypass CVE-2023-41081 The mod_jk component of Apache Tomcat Connectors in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker. Such an implicit mapping could result in the unintended exposure of the status worker and/or bypass security constraints configured in httpd. As of JK 1.2.49, the implicit mapping functionality has been removed and all mappings must now be via explicit configuration. Only mod_jk is affected by this issue. The ISAPI redirector is not affected. This issue affects Apache Tomcat Connectors (mod_jk only): from 1.2.0 through 1.2.48. Users are recommended to upgrade to version 1.2.49, which fixes the issue. History 2023-09-13 Original advisory 2023-09-28 Updated summary

Затронутые продукты

SUSE Linux Enterprise Module for Server Applications 15 SP6:apache2-mod_jk-1.2.50-150100.6.12.1

openSUSE Leap 15.6:apache2-mod_jk-1.2.50-150100.6.12.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-41081.html
CVE-2023-41081
https://bugzilla.suse.com/1215301
SUSE Bug 1215301

Описание

Incorrect Default Permissions vulnerability in Apache Tomcat Connectors allows local users to view and modify shared memory containing mod_jk configuration which may lead to information disclosure and/or denial of service. This issue affects Apache Tomcat Connectors: from 1.2.9-beta through 1.2.49. Only mod_jk on Unix like systems is affected. Neither the ISAPI redirector nor mod_jk on Windows is affected. Users are recommended to upgrade to version 1.2.50, which fixes the issue.

Затронутые продукты

SUSE Linux Enterprise Module for Server Applications 15 SP6:apache2-mod_jk-1.2.50-150100.6.12.1

openSUSE Leap 15.6:apache2-mod_jk-1.2.50-150100.6.12.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46544.html
CVE-2024-46544
https://bugzilla.suse.com/1230916
SUSE Bug 1230916

SUSE-SU-2025:0102-1

Описание

Список пакетов

SUSE Linux Enterprise Module for Server Applications 15 SP6

openSUSE Leap 15.6

Ссылки

Уязвимость: CVE-2023-41081

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2024-46544

Описание

Затронутые продукты

Ссылки