1 March 2007 - JK-1.2.21 released
The Apache Tomcat team is proud to announce the immediate availability
of Tomcat Connectors 1.2.21 Stable.
This version addresses the security flaw:
A Long URL Stack Overflow Vulnerability exists in the URI handler for the mod_jk library.
When parsing a long URL request, the URI worker map routine performs an
unsafe memory copy. This results in a stack overflow condition which can
be leveraged execute arbitrary code.
Please note this issue only affected versions 1.2.19 and 1.2.20 of the
JK Apache Tomcat Connector and not previous versions.
Tomcat 5.5.20 and Tomcat 4.1.34
included a vulnerable version in their source packages.
No other source code releases and no binary packages
of Tomcat were affected.
The Apache Tomcat project recommends that all users who have built mod_jk from source apply the patch or upgrade to the latest level and rebuild. Providers of mod_jk-based modules in pre-compiled form will be able to determine if this vulnerability applies to their builds. That determination has no bearing on any other builds of mod_jk, and mod_jk users are urged to exercise caution and apply patches or upgrade unless they have specific instructions from the provider of their module.
The Tomcat Project thanks an anonymous researcher working with
TippingPoint (www.tippingpoint.com) and the Zero Day Initiative
(www.zerodayintiative.com) for their responsible reporting of this
Download the JK 1.2.21 release sources
| PGP signature
Download the binaries for selected platforms.