[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2008-5519: mod_jk session information leak vulnerability
From:       Vincent Danen <vdanen () redhat ! com>
Date:       2009-04-08 18:23:15
Message-ID: 20090408182315.GA19549 () redhat ! com
[Download RAW message or body]

Just a heads up for those of you shipping mod_jk.  There is a session
leak vulnerability where, in certain circumstances, client A can get the
responses intended for client B.

This was fixed upstream in version 1.2.27 but the security ramifications
weren't known at that point.

https://bugzilla.redhat.com/show_bug.cgi?id=490201

Our bug has a few more details.

http://svn.eu.apache.org/viewvc?view=rev&revision=702540

This is the upstream fix for the issue.

The issue has the CVE name CVE-2008-5519.

-- 
Vincent Danen / Red Hat Security Response Team 
[prev in list] [next in list] [prev in thread] [next in thread]