SUSE 5058 Published by

An apache2-mod_jk security update has been released for openSUSE Leap 15.4/15.5 and SUSE Linux Enterprise.



SUSE-SU-2023:4513-1: important: Security update for apache2-mod_jk


# Security update for apache2-mod_jk

Announcement ID: SUSE-SU-2023:4513-1
Rating: important
References:

* bsc#1114612

Cross-References:

* CVE-2018-11759

CVSS scores:

* CVE-2018-11759 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2018-11759 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products:

* openSUSE Leap 15.4
* openSUSE Leap 15.5
* Server Applications Module 15-SP4
* Server Applications Module 15-SP5
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise Real Time 15 SP4
* SUSE Linux Enterprise Real Time 15 SP5
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Manager Proxy 4.3
* SUSE Manager Retail Branch Server 4.3
* SUSE Manager Server 4.3

An update that solves one vulnerability can now be installed.

## Description:

This update for apache2-mod_jk fixes the following issues:

Update to version 1.2.49: Apache * Retrieve default request id from
mod_unique_id. It can also be taken from an arbitrary environment variable by
configuring "JkRequestIdIndicator". * Don't delegate the generatation of the
response body to httpd when the status code represents an error if the request
used the HEAD method. * Only export the main module symbol. Visibility of module
internal symbols led to crashes when conflicting with library symbols. Based on
a patch provided by Josef Čejka. * Remove support for implicit mapping of
requests to workers. All mappings must now be explicit. IIS * Set default
request id as a GUID. It can also be taken from an arbitrary request header by
configuring "request_id_header". * Fix non-empty check for the Translate header.
Common * Fix compiler warning when initializing and copying fixed length
strings. * Add a request id to mod_jk log lines. * Enable configure to find the
correct sizes for pid_t and pthread_t when building on MacOS. * Fix Clang 15/16
compatability. Pull request #6 provided by Sam James. * Improve XSS hardening in
status worker. * Add additional bounds and error checking when reading AJP
messages. Docs * Remove support for the Netscape / Sun ONE / Oracle iPlanet Web
Server as the product has been retired. * Remove links to the old JK2
documentation. The JK2 documentation is still available, it is just no longer
linked from the current JK documentation. * Restructure subsections in changelog
starting with version 1.2.45.

Changes for 1.2.47 and 1.2.48 updates: * Add: Apache: Extend trace level logging
of method entry/exit to aid debugging of request mapping issues. * Fix: Apache:
Fix a bug in the normalization checks that prevented file based requests, such
as SSI file includes, from being processed. * Fix: Apache: When using
JkAutoAlias, ensure that files that include spaces in their name are accessible.
* Update: Common: Update the documentation to reflect that the source code for
the Apache Tomcat Connectors has moved from Subversion to Git. * Fix: Common:
When using set_session_cookie, ensure that an updated session cookie is issued
if the load-balancer has to failover to a different worker. * Update: Common:
Update config.guess and config.sub from
https://git.savannah.gnu.org/git/config.git. * Update: Common: Update release
script for migration to git.

Update to version 1.2.46 Fixes: * Apache: Fix regression in 1.2.44 which
resulted in socket_connect_timeout to be interpreted in units of seconds instead
of milliseconds on platforms that provide poll(). (rjung) * Security:
CVE-2018-11759 Connector path traversal [bsc#1114612]

Update to version 1.2.45 Fixes: * Correct regression in 1.2.44 that broke
request handling for OPTIONS * requests. (rjung) * Improve path parameter
parsing so that the session ID specified by the session_path worker property for
load-balanced workers can be extracted from a path parameter in any segment of
the URI, rather than only from the final segment. (markt) * Apache: Improve path
parameter handling so that JkStripSession can remove session IDs that are
specified on path parameters in any segment of the URI rather than only the
final segment. (markt) * IIS: Improve path parameter handling so that
strip_session can remove session IDs that are specified on path parameters in
any segment of the URI rather than only the final segment. (markt) Updates: *
Apache: Update the documentation to note additional limitations of the
JkAutoAlias directive. (markt) Code: * Common: Optimize path parameter handling.
(rjung)

Update to version 1.2.44 Updates: * Remove the Novell Netware make files and
Netware specific source code since there has not been a supported version of
Netware available for over five years. (markt) * Apache: Update the
documentation to use httpd 2.4.x style access control directives. (markt) *
Update PCRE bundled with the ISAPI redirector to 8.42. (rjung) * Update
config.guess and config.sub from https://git.savannah.gnu.org/git/config.git.
(rjung) Fixes: * Common: Use Local, rather than Global, mutexs on Windows to
better support multi-user environments. (markt) * Apache: Use poll rather than
select to avoid the limitations of select triggering an httpd crash. Patch
provided by Koen Wilde. (markt) * ISAPI: Remove the check that rejects requests
that contain path segments that match WEB-INF or META-INF as it duplicates a
check that Tomcat performs and, because ISAPI does not have visibility of the
current context path, it is impossible to implement this check without valid
requests being rejected. (markt) * Refactor normalisation of request URIs to a
common location and align the normalisation implementation for mod_jk with that
implemented by Tomcat. (markt) Add: * Clarify the behvaiour of lb workers when
all ajp13 workers fail with particular reference to the role of the retries
attribute. (markt) * Add the new load-balancer worker property lb_retries to
improve the control over the number of retries. Based on a patch provided by
Frederik Nosi. (markt) * Add a note to the documentation that the
CollapseSlashes options are now effectively hard-coded to CollpaseSlashesAll due
to the changes made to align normalization with that implemented in Tomcat.
(markt)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.4
zypper in -t patch openSUSE-SLE-15.4-2023-4513=1

* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2023-4513=1

* Server Applications Module 15-SP4
zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP4-2023-4513=1

* Server Applications Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP5-2023-4513=1

## Package List:

* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
* apache2-mod_jk-debuginfo-1.2.49-150100.6.6.1
* apache2-mod_jk-debugsource-1.2.49-150100.6.6.1
* apache2-mod_jk-1.2.49-150100.6.6.1
* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
* apache2-mod_jk-debuginfo-1.2.49-150100.6.6.1
* apache2-mod_jk-debugsource-1.2.49-150100.6.6.1
* apache2-mod_jk-1.2.49-150100.6.6.1
* Server Applications Module 15-SP4 (aarch64 ppc64le s390x x86_64)
* apache2-mod_jk-debuginfo-1.2.49-150100.6.6.1
* apache2-mod_jk-debugsource-1.2.49-150100.6.6.1
* apache2-mod_jk-1.2.49-150100.6.6.1
* Server Applications Module 15-SP5 (aarch64 ppc64le s390x x86_64)
* apache2-mod_jk-debuginfo-1.2.49-150100.6.6.1
* apache2-mod_jk-debugsource-1.2.49-150100.6.6.1
* apache2-mod_jk-1.2.49-150100.6.6.1

## References:

* https://www.suse.com/security/cve/CVE-2018-11759.html
* https://bugzilla.suse.com/show_bug.cgi?id=1114612