<div class="container">
<h1>Security update for apache2-mod_jk</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2023:4513-1</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1114612">bsc#1114612</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2018-11759.html">CVE-2018-11759</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2018-11759</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2018-11759</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">openSUSE Leap 15.4</li>
<li class="list-group-item">openSUSE Leap 15.5</li>
<li class="list-group-item">Server Applications Module 15-SP4</li>
<li class="list-group-item">Server Applications Module 15-SP5</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP5</li>
<li class="list-group-item">SUSE Manager Proxy 4.3</li>
<li class="list-group-item">SUSE Manager Retail Branch Server 4.3</li>
<li class="list-group-item">SUSE Manager Server 4.3</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves one vulnerability can now be installed.</p>
<h2>Description:</h2>
<p>This update for apache2-mod_jk fixes the following issues:</p>
<p>Update to version 1.2.49:
Apache
* Retrieve default request id from mod_unique_id. It can also be
taken from an arbitrary environment variable by configuring
"JkRequestIdIndicator".
* Don't delegate the generatation of the response body to httpd
when the status code represents an error if the request used
the HEAD method.
* Only export the main module symbol. Visibility of module
internal symbols led to crashes when conflicting with library
symbols. Based on a patch provided by Josef Čejka.
* Remove support for implicit mapping of requests to workers.
All mappings must now be explicit.
IIS
* Set default request id as a GUID. It can also be taken from an
arbitrary request header by configuring "request_id_header".
* Fix non-empty check for the Translate header.
Common
* Fix compiler warning when initializing and copying fixed
length strings.
* Add a request id to mod_jk log lines.
* Enable configure to find the correct sizes for pid_t and
pthread_t when building on MacOS.
* Fix Clang 15/16 compatability. Pull request #6 provided by
Sam James.
* Improve XSS hardening in status worker.
* Add additional bounds and error checking when reading AJP
messages.
Docs
* Remove support for the Netscape / Sun ONE / Oracle iPlanet Web
Server as the product has been retired.
* Remove links to the old JK2 documentation. The JK2
documentation is still available, it is just no longer linked
from the current JK documentation.
* Restructure subsections in changelog starting with version
1.2.45.</p>
<p>Changes for 1.2.47 and 1.2.48 updates:
* Add: Apache: Extend trace level logging of method entry/exit to
aid debugging of request mapping issues.
* Fix: Apache: Fix a bug in the normalization checks that prevented
file based requests, such as SSI file includes, from being processed.
* Fix: Apache: When using JkAutoAlias, ensure that files that include
spaces in their name are accessible.
* Update: Common: Update the documentation to reflect that the source
code for the Apache Tomcat Connectors has moved from Subversion to Git.
* Fix: Common: When using set_session_cookie, ensure that an updated session
cookie is issued if the load-balancer has to failover to a different worker.
* Update: Common: Update config.guess and config.sub from
https://git.savannah.gnu.org/git/config.git.
* Update: Common: Update release script for migration to git.</p>
<p>Update to version 1.2.46
Fixes:
* Apache: Fix regression in 1.2.44 which resulted in
socket_connect_timeout to be interpreted in units of seconds
instead of milliseconds on platforms that provide poll(). (rjung)
* Security: CVE-2018-11759 Connector path traversal [bsc#1114612]</p>
<p>Update to version 1.2.45
Fixes:
* Correct regression in 1.2.44 that broke request handling for
OPTIONS * requests. (rjung)
* Improve path parameter parsing so that the session ID specified
by the session_path worker property for load-balanced workers
can be extracted from a path parameter in any segment of the
URI, rather than only from the final segment. (markt)
* Apache: Improve path parameter handling so that JkStripSession
can remove session IDs that are specified on path parameters in any
segment of the URI rather than only the final segment. (markt)
* IIS: Improve path parameter handling so that strip_session can
remove session IDs that are specified on path parameters in any
segment of the URI rather than only the final segment. (markt)
Updates:
* Apache: Update the documentation to note additional
limitations of the JkAutoAlias directive. (markt)
Code:
* Common: Optimize path parameter handling. (rjung)</p>
<p>Update to version 1.2.44
Updates:
* Remove the Novell Netware make files and Netware specific source
code since there has not been a supported version of Netware
available for over five years. (markt)
* Apache: Update the documentation to use httpd 2.4.x style access
control directives. (markt)
* Update PCRE bundled with the ISAPI redirector to 8.42. (rjung)
* Update config.guess and config.sub from
https://git.savannah.gnu.org/git/config.git. (rjung)
Fixes:
* Common: Use Local, rather than Global, mutexs on Windows to
better support multi-user environments. (markt)
* Apache: Use poll rather than select to avoid the limitations of
select triggering an httpd crash. Patch provided by Koen Wilde. (markt)
* ISAPI: Remove the check that rejects requests that contain path
segments that match WEB-INF or META-INF as it duplicates a check
that Tomcat performs and, because ISAPI does not have visibility of
the current context path, it is impossible to implement this check
without valid requests being rejected. (markt)
* Refactor normalisation of request URIs to a common location and align
the normalisation implementation for mod_jk with that implemented by
Tomcat. (markt)
Add:
* Clarify the behvaiour of lb workers when all ajp13 workers fail with
particular reference to the role of the retries attribute. (markt)
* Add the new load-balancer worker property lb_retries to improve the
control over the number of retries. Based on a patch provided by
Frederik Nosi. (markt)
* Add a note to the documentation that the CollapseSlashes options are
now effectively hard-coded to CollpaseSlashesAll due to the changes
made to align normalization with that implemented in Tomcat. (markt)</p>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
openSUSE Leap 15.4
<br/>
<code>zypper in -t patch openSUSE-SLE-15.4-2023-4513=1</code>
</li>
<li class="list-group-item">
openSUSE Leap 15.5
<br/>
<code>zypper in -t patch openSUSE-SLE-15.5-2023-4513=1</code>
</li>
<li class="list-group-item">
Server Applications Module 15-SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP4-2023-4513=1</code>
</li>
<li class="list-group-item">
Server Applications Module 15-SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP5-2023-4513=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
<ul>
<li>apache2-mod_jk-debuginfo-1.2.49-150100.6.6.1</li>
<li>apache2-mod_jk-debugsource-1.2.49-150100.6.6.1</li>
<li>apache2-mod_jk-1.2.49-150100.6.6.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
<ul>
<li>apache2-mod_jk-debuginfo-1.2.49-150100.6.6.1</li>
<li>apache2-mod_jk-debugsource-1.2.49-150100.6.6.1</li>
<li>apache2-mod_jk-1.2.49-150100.6.6.1</li>
</ul>
</li>
<li>
Server Applications Module 15-SP4 (aarch64 ppc64le s390x x86_64)
<ul>
<li>apache2-mod_jk-debuginfo-1.2.49-150100.6.6.1</li>
<li>apache2-mod_jk-debugsource-1.2.49-150100.6.6.1</li>
<li>apache2-mod_jk-1.2.49-150100.6.6.1</li>
</ul>
</li>
<li>
Server Applications Module 15-SP5 (aarch64 ppc64le s390x x86_64)
<ul>
<li>apache2-mod_jk-debuginfo-1.2.49-150100.6.6.1</li>
<li>apache2-mod_jk-debugsource-1.2.49-150100.6.6.1</li>
<li>apache2-mod_jk-1.2.49-150100.6.6.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2018-11759.html">https://www.suse.com/security/cve/CVE-2018-11759.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1114612">https://bugzilla.suse.com/show_bug.cgi?id=1114612</a>
</li>
</ul>
</div>