From a24567fbc43f221b14e805f9bc0b7c6d16911c46 Mon Sep 17 00:00:00 2001 From: Alex Legler Date: Sun, 8 Mar 2015 22:02:38 +0100 Subject: Import existing advisories --- glsa-200703-16.xml | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 glsa-200703-16.xml (limited to 'glsa-200703-16.xml') diff --git a/glsa-200703-16.xml b/glsa-200703-16.xml new file mode 100644 index 00000000..44b92e73 --- /dev/null +++ b/glsa-200703-16.xml @@ -0,0 +1,70 @@ + + + + + + + Apache JK Tomcat Connector: Remote execution of arbitrary code + + The Apache Tomcat Connector (mod_jk) contains a buffer overflow + vulnerability that could result in the remote execution of arbitrary code. + + mod_jk + March 16, 2007 + March 16, 2007: 01 + 169433 + remote + + + 1.2.21-r1 + 1.2.21-r1 + + + +

+ The Apache HTTP server is a very widely used web server. mod_jk + provides the JK module for connecting Tomcat and Apache using the ajp13 + protocol. +

+ + +

+ ZDI reported an unsafe memory copy in mod_jk that was discovered by an + anonymous researcher in the map_uri_to_worker function of + native/common/jk_uri_worker_map.c . +

+ + +

+ A remote attacker can send a long URL request to an Apache server using + Tomcat. That can trigger the vulnerability and lead to a stack-based + buffer overflow, which could result in the execution of arbitrary code + with the permissions of the Apache user. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Apache Tomcat users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apache/mod_jk-1.2.21-r1" + + + CVE-2007-0774 + + + DerCorny + + + falco + + + jaervosz + + -- cgit v1.2.3-65-gdbad