Security update for apache2-mod_jk SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:4032-1 Final 1 1 2018-12-07T18:48:25Z current 2018-12-07T18:48:25Z 2018-12-07T18:48:25Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache2-mod_jk This update for apache2-mod_jk fixes the following issue: Security issue fixed: - CVE-2018-11759: Fixed connector path traversal due to mishandled HTTP requests in httpd (bsc#1114612). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00010.html E-Mail link for openSUSE-SU-2018:4032-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 15.0 apache2-mod_jk-1.2.43-lp150.2.3.1 apache2-mod_jk-1.2.43-lp150.2.3.1 as a component of openSUSE Leap 15.0 The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical. CVE-2018-11759 openSUSE Leap 15.0:apache2-mod_jk-1.2.43-lp150.2.3.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00010.html https://www.suse.com/security/cve/CVE-2018-11759.html CVE-2018-11759 https://bugzilla.suse.com/1114612 SUSE Bug 1114612