The following updates has been released for Debian GNU/Linux:
Debian GNU/Linux 7 Extended LTS:
ELA-68-1 libapache-mod-jk security update
Debian GNU/Linux 8 LTS:
DLA 1609-1: libapache-mod-jk security update
DLA 1610-1: sleuthkit security update
Debian GNU/Linux 7 Extended LTS:
ELA-68-1 libapache-mod-jk security update
Debian GNU/Linux 8 LTS:
DLA 1609-1: libapache-mod-jk security update
DLA 1610-1: sleuthkit security update
ELA-68-1 libapache-mod-jk security update
Package: libapache-mod-jk
Version: 1.2.46-0+deb7u1
Related CVE: CVE-2018-11759
A vulnerability has been discovered in libapache-mod-jk, the Apache 2 connector for the Tomcat Java servlet engine.
The libapache-mod-jk connector is susceptible to information disclosure and privilege escalation because of a mishandling of URL normalization.
The nature of the fix required that libapache-mod-jk in Debian 7 “Wheezy” be updated to the latest upstream release. For reference, the upstream changes associated with each release version are documented here:
http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html
For Debian 7 Wheezy, these problems have been fixed in version 1.2.46-0+deb7u1.
We recommend that you upgrade your libapache-mod-jk packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
DLA 1609-1: libapache-mod-jk security update
Package : libapache-mod-jk
Version : 1.2.46-0+deb8u1
CVE ID : CVE-2018-11759
A vulnerability has been discovered in libapache-mod-jk, the Apache 2
connector for the Tomcat Java servlet engine.
The libapache-mod-jk connector is susceptible to information disclosure
and privilege escalation because of a mishandling of URL normalization.
The nature of the fix required that libapache-mod-jk in Debian 8
"Jessie" be updated to the latest upstream release. For reference, the
upstream changes associated with each release version are documented
here:
http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html
For Debian 8 "Jessie", this problem has been fixed in version
1.2.46-0+deb8u1.
We recommend that you upgrade your libapache-mod-jk packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1610-1: sleuthkit security update
Package : sleuthkit
Version : 4.1.3-4+deb8u1
CVE ID : CVE-2018-19497
Debian Bug : 914796
It was discovered that the Sleuth Kit (TSK) through version 4.6.4 is
affected by a buffer over-read vulnerability. The tsk_getu16 call in
hfs_dir_open_meta_cb (tsk/fs/hfs_dent.c) does not properly check
boundaries. This vulnerability might be leveraged by remote attackers
using crafted filesystem images to cause denial of service or any other
unspecified behavior.
For Debian 8 "Jessie", this problem has been fixed in version
4.1.3-4+deb8u1.
We recommend that you upgrade your sleuthkit packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
