Due to security issues, I have updated the mod_jk RPMS to the latest stable version of 1.2.21:

• Download: mod_jk-1.2.21-1.bjd
• Sources: Sources
• Changelog

Official Release Announcement

1 March 2007 - JK-1.2.21 released

The Apache Tomcat team is proud to announce the immediate availability of Tomcat Connectors 1.2.21 Stable.

This version addresses the security flaw:
CVE-2007-0774 A Long URL Stack Overflow Vulnerability exists in the URI handler for the mod_jk library. When parsing a long URL request, the URI worker map routine performs an unsafe memory copy. This results in a stack overflow condition which can be leveraged execute arbitrary code.

Please note this issue only affected versions 1.2.19 and 1.2.20 of the JK Apache Tomcat Connector and not previous versions. Tomcat 5.5.20 and Tomcat 4.1.34 included a vulnerable version in their source packages. No other source code releases and no binary packages of Tomcat were affected.

The Apache Tomcat project recommends that all users who have built mod_jk from source apply the patch or upgrade to the latest level and rebuild. Providers of mod_jk-based modules in pre-compiled form will be able to determine if this vulnerability applies to their builds. That determination has no bearing on any other builds of mod_jk, and mod_jk users are urged to exercise caution and apply patches or upgrade unless they have specific instructions from the provider of their module.

The Tomcat Project thanks an anonymous researcher working with TippingPoint (www.tippingpoint.com) and the Zero Day Initiative (www.zerodayintiative.com) for their responsible reporting of this vulnerability.