GNU bug report logs - #47562
java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade)

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Léo Le Bouter <lle-bout@HIDDEN>; Keywords: security; dated Fri, 2 Apr 2021 10:38:01 UTC; Maintainer for guix is bug-guix@HIDDEN.

Message received at 47562 <at> debbugs.gnu.org:


Received: (at 47562) by debbugs.gnu.org; 2 Apr 2021 11:18:20 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Apr 02 07:18:20 2021
Received: from localhost ([127.0.0.1]:59268 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lSHoi-0005qc-6o
	for submit <at> debbugs.gnu.org; Fri, 02 Apr 2021 07:18:20 -0400
Received: from lepiller.eu ([89.234.186.109]:59182)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <julien@HIDDEN>) id 1lSHof-0005qT-QY
 for 47562 <at> debbugs.gnu.org; Fri, 02 Apr 2021 07:18:19 -0400
Received: from lepiller.eu (localhost [127.0.0.1])
 by lepiller.eu (OpenSMTPD) with ESMTP id 0f7ebfb0;
 Fri, 2 Apr 2021 11:18:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=lepiller.eu; h=date:from
 :to:cc:subject:message-id:in-reply-to:references:mime-version
 :content-type; s=dkim; bh=qmjfxnp8FCMtVRk8R3+29BC3OkmrkaEQCJOyvr
 9EKd4=; b=Wr1ZpEn8R3eFtEV0gzcRW3PfCJ6DyB39d75q8ey9BRYcCAvQD8iLnH
 EbFKPc4hahwW66u7M3eYAFGe49MIUW4ajDU7FIN/D97bloKEpfwWwn5ZYTHwcLZJ
 JnM+bYk0Q5jEGvy8dDxvCKYQ86F9kJHkk+gOiWhzNeq+9Uu97SsKZYjNh7VNCRsm
 i/xtT4fKgvtEb9CdXG+BijO/1qwQi3hSDe09BctqX2VN7gINGB6VgLjLoPXe3u7K
 aPCdCz4HWx4uhgwKpkMtYWnHWEtsHwm3SEUOnFxRAzLiJdzoqSZ6FMgcPDrcRTBm
 gNSI0NXR5RW/9vz4ViOOni0MpTQWkFyg==
Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id 917bdb11
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); 
 Fri, 2 Apr 2021 11:18:15 +0000 (UTC)
Date: Fri, 2 Apr 2021 13:18:05 +0200
From: Julien Lepiller <julien@HIDDEN>
To: =?UTF-8?B?TMOpbw==?= Le Bouter via Bug reports for GNU Guix
 <bug-guix@HIDDEN>
Subject: Re: bug#47562: java-eclipse-jetty-* packages are vulnerable to
 CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY
 others, 4y w/o upgrade)
Message-ID: <20210402131805.3ade4377@HIDDEN>
In-Reply-To: <0fc1caefa7b1dd2b41639a9cc58f7d6da4c1a23d.camel@HIDDEN>
References: <0fc1caefa7b1dd2b41639a9cc58f7d6da4c1a23d.camel@HIDDEN>
X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="MP_/G4GRTE6Ox3D=ogSLsgBpP26"
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 47562
Cc: =?UTF-8?B?TMOpbw==?= Le Bouter <lle-bout@HIDDEN>, 47562 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--MP_/G4GRTE6Ox3D=ogSLsgBpP26
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Le Fri, 02 Apr 2021 12:37:27 +0200,
L=C3=A9o Le Bouter via Bug reports for GNU Guix <bug-guix@HIDDEN> a =C3=A9=
crit :

> CVE-2021-28165	01.04.21 17:15
> In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and
> 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a
> large invalid TLS frame.
>=20
> CVE-2021-28164	01.04.21 17:15
> In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default
> compliance mode allows requests with URIs that contain %2e or %2e%2e
> segments to access protected resources within the WEB-INF directory.
> For example a request to /context/%2e/WEB-INF/web.xml can retrieve the
> web.xml file. This can reveal sensitive information regarding the
> implementation of a web application.
>=20
> CVE-2021-28163	01.04.21 17:15
> In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and
> 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a
> symlink, the contents of the webapps directory is deployed as a static
> webapp, inadvertently serving the webapps themselves and anything else
> that might be in that directory.
>=20
> The fix is to upgrade to latest version, currently: 9.4.39.v20210325

Hi Guix!

attached is a patch for these security issues. I'm not very happy with
them, because I had to do many things, but when updating 4 yo packages,
it's somewhat expected.

The packages now require junit 5 to run the tests, so I had to disable
them, and dependencies have changed a bit, with the notable addition of
util-ajax. Unfortunately, I cannot update the 9.2.* versions, and
jetty-test-classes fails to build, though it's not needed anymore as
it's only used during tests.

I believe I added these packages initially only because I didn't want
users to mistakenly install the 9.2.* versions that were not the latest
at the time. We might want to update to jetty 11 or figure out how to
build junit 5, which has quite a complex dependency graph, with a few
cycles.

Thanks L=C3=A9o for noticing this!

--MP_/G4GRTE6Ox3D=ogSLsgBpP26
Content-Type: text/x-patch
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename=0001-gnu-java-eclipse-jetty-util-Update-to-9.4.39-securit.patch

From d5e5f91b523fb12f452a28648c67531e362a7637 Mon Sep 17 00:00:00 2001
From: Julien Lepiller <julien@HIDDEN>
Date: Fri, 2 Apr 2021 12:55:16 +0200
Subject: [PATCH] gnu: java-eclipse-jetty-util: Update to 9.4.39 [security
 fixes].

Fixes CVE-2021-28165 - jetty server high CPU when client send data length >
17408, CVE-2021-28164 - Normalize ambiguous URIs and CVE-2021-28163 - Exclude
webapps directory from deployment scan.

* gnu/packages/java.scm (java-eclipse-jetty-util): Update to 9.4.39.
(java-eclipse-jetty-util-ajax): New variable.
(java-eclipse-jetty-util, java-eclipse-jetty-io, java-eclipse-jetty-http)
(java-eclipse-jetty-jmx, java-eclipse-jetty-server)
(java-eclipse-jetty-security, java-eclipse-jetty-servlet)
(java-eclipse-jetty-xml, java-eclipse-jetty-webapp): Disable tests.
[native-inputs]: Remove test dependencies.
---
 gnu/packages/web.scm | 43 ++++++++++++++++++++++++-------------------
 1 file changed, 24 insertions(+), 19 deletions(-)

diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 7bc638ba88..7b0aee3b31 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -6830,18 +6830,19 @@ Web Server.")
 (define-public java-eclipse-jetty-util
   (package
     (name "java-eclipse-jetty-util")
-    (version "9.4.6")
+    (version "9.4.39")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/eclipse/jetty.project/"
-                                  "archive/jetty-" version ".v20170531.tar.gz"))
+                                  "archive/jetty-" version ".v20210325.tar.gz"))
               (sha256
                (base32
-                "0x7kbdvkmgr6kbsmbwiiyv3bb0d6wk25frgvld9cf8540136z9p1"))))
+                "0b4hy4zmdmfbqk9bzmxk7v75y2ysqiappkip4z3hb9lxjvjh0b19"))))
     (build-system ant-build-system)
     (arguments
      `(#:jar-name "eclipse-jetty-util.jar"
        #:source-dir "src/main/java"
+       #:tests? #f; require junit 5
        #:test-exclude
        (list "**/Abstract*.java"
              ;; requires network
@@ -6860,11 +6861,6 @@ Web Server.")
     (inputs
      `(("slf4j" ,java-slf4j-api)
        ("servlet" ,java-javaee-servletapi)))
-    (native-inputs
-     `(("junit" ,java-junit)
-       ("hamcrest" ,java-hamcrest-all)
-       ("perf-helper" ,java-eclipse-jetty-perf-helper)
-       ("test-helper" ,java-eclipse-jetty-test-helper)))
     (home-page "https://www.eclipse.org/jetty/")
     (synopsis "Utility classes for Jetty")
     (description "The Jetty Web Server provides an HTTP server and Servlet
@@ -6925,6 +6921,7 @@ or embedded instantiation.  This package provides utility classes.")
      `(#:jar-name "eclipse-jetty-io.jar"
        #:source-dir "src/main/java"
        #:jdk ,icedtea-8
+       #:tests? #f; require junit 5
        #:test-exclude (list "**/Abstract*.java"
                             ;; Abstract class
                             "**/EndPointTest.java")
@@ -6966,6 +6963,7 @@ or embedded instantiation.  This package provides IO-related utility classes."))
      `(#:jar-name "eclipse-jetty-http.jar"
        #:source-dir "src/main/java"
        #:jdk ,icedtea-8
+       #:tests? #f; require junit 5
        #:phases
        (modify-phases %standard-phases
          (add-before 'configure 'chdir
@@ -7101,9 +7099,6 @@ or embedded instantiation.  This package provides the JMX management.")))
        ("io" ,java-eclipse-jetty-io)
        ("jmx" ,java-eclipse-jetty-jmx)
        ("util" ,java-eclipse-jetty-util)))
-    (native-inputs
-     `(("test-classes" ,java-eclipse-jetty-http-test-classes)
-       ,@(package-native-inputs java-eclipse-jetty-util)))
     (synopsis "Core jetty server artifact")
     (description "The Jetty Web Server provides an HTTP server and Servlet
 container capable of serving static and dynamic content either from a standalone
@@ -7133,6 +7128,7 @@ artifact.")))
      `(#:jar-name "eclipse-jetty-security.jar"
        #:source-dir "src/main/java"
        #:jdk ,icedtea-8
+       #:tests? #f; require junit 5
        #:test-exclude (list "**/ConstraintTest.*") ; This test fails
        #:phases
        (modify-phases %standard-phases
@@ -7146,9 +7142,6 @@ artifact.")))
        ("http" ,java-eclipse-jetty-http)
        ("server" ,java-eclipse-jetty-server)
        ("util" ,java-eclipse-jetty-util)))
-    (native-inputs
-     `(("io" ,java-eclipse-jetty-io)
-       ,@(package-native-inputs java-eclipse-jetty-util)))
     (synopsis "Jetty security infrastructure")
     (description "The Jetty Web Server provides an HTTP server and Servlet
 container capable of serving static and dynamic content either from a standalone
@@ -7169,6 +7162,18 @@ infrastructure")))
      `(("io" ,java-eclipse-jetty-io-9.2)
        ,@(package-native-inputs java-eclipse-jetty-util-9.2)))))
 
+(define-public java-eclipse-jetty-util-ajax
+  (package
+    (inherit java-eclipse-jetty-util)
+    (name "java-eclipse-jetty-util-ajax")
+    (arguments
+     `(#:jar-name "eclipse-jetty-util-ajax.jar"
+       #:source-dir "jetty-util-ajax/src/main/java"
+       #:tests? #f)); require junit 5
+    (inputs
+     `(("java-eclipse-jetty-util" ,java-eclipse-jetty-util)
+       ("java-javaee-servletapi" ,java-javaee-servletapi)))))
+
 (define-public java-eclipse-jetty-servlet
   (package
     (inherit java-eclipse-jetty-util)
@@ -7177,6 +7182,7 @@ infrastructure")))
      `(#:jar-name "eclipse-jetty-servlet.jar"
        #:source-dir "src/main/java"
        #:jdk ,icedtea-8
+       #:tests? #f; require junit 5
        #:phases
        (modify-phases %standard-phases
          (add-before 'configure 'chdir
@@ -7186,8 +7192,8 @@ infrastructure")))
     (inputs
      `(("slf4j" ,java-slf4j-api)
        ("java-javaee-servletapi" ,java-javaee-servletapi)
+       ("java-eclipse-jetty-util-ajax" ,java-eclipse-jetty-util-ajax)
        ("http" ,java-eclipse-jetty-http)
-       ("http-test" ,java-eclipse-jetty-http-test-classes)
        ("io" ,java-eclipse-jetty-io)
        ("jmx" ,java-eclipse-jetty-jmx)
        ("security" ,java-eclipse-jetty-security)
@@ -7277,6 +7283,7 @@ container.")))
      `(#:jar-name "eclipse-jetty-webapp.jar"
        #:source-dir "src/main/java"
        #:jdk ,icedtea-8
+       #:tests? #f; require junit 5
        ;; One test fails
        #:test-exclude (list "**/WebAppContextTest.java")
        #:phases
@@ -7288,14 +7295,12 @@ container.")))
     (inputs
      `(("java-eclipse-jetty-util" ,java-eclipse-jetty-util)
        ("java-eclipse-jetty-http" ,java-eclipse-jetty-http)
+       ("java-eclipse-jetty-io" ,java-eclipse-jetty-io)
        ("java-eclipse-jetty-server" ,java-eclipse-jetty-server)
        ("java-eclipse-jetty-servlet" ,java-eclipse-jetty-servlet)
        ("java-eclipse-jetty-security" ,java-eclipse-jetty-security)
        ("java-eclipse-jetty-xml" ,java-eclipse-jetty-xml)
-       ("java-javaee-servletapi" ,java-javaee-servletapi)))
-    (native-inputs
-     `(("java-eclipse-jetty-io" ,java-eclipse-jetty-io)
-       ,@(package-native-inputs java-eclipse-jetty-util)))))
+       ("java-javaee-servletapi" ,java-javaee-servletapi)))))
 
 (define-public java-eclipse-jetty-webapp-9.2
   (package
-- 
2.31.0


--MP_/G4GRTE6Ox3D=ogSLsgBpP26--




Information forwarded to bug-guix@HIDDEN:
bug#47562; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 2 Apr 2021 11:18:28 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Apr 02 07:18:28 2021
Received: from localhost ([127.0.0.1]:59271 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lSHop-0005qy-Qn
	for submit <at> debbugs.gnu.org; Fri, 02 Apr 2021 07:18:28 -0400
Received: from lists.gnu.org ([209.51.188.17]:55924)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <julien@HIDDEN>) id 1lSHoo-0005qr-C9
 for submit <at> debbugs.gnu.org; Fri, 02 Apr 2021 07:18:26 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:48472)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <julien@HIDDEN>)
 id 1lSHoo-0004fk-6t
 for bug-guix@HIDDEN; Fri, 02 Apr 2021 07:18:26 -0400
Received: from lepiller.eu ([89.234.186.109]:51152)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <julien@HIDDEN>)
 id 1lSHol-00013h-7y
 for bug-guix@HIDDEN; Fri, 02 Apr 2021 07:18:25 -0400
Received: from lepiller.eu (localhost [127.0.0.1])
 by lepiller.eu (OpenSMTPD) with ESMTP id 0f7ebfb0;
 Fri, 2 Apr 2021 11:18:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=lepiller.eu; h=date:from
 :to:cc:subject:message-id:in-reply-to:references:mime-version
 :content-type; s=dkim; bh=qmjfxnp8FCMtVRk8R3+29BC3OkmrkaEQCJOyvr
 9EKd4=; b=Wr1ZpEn8R3eFtEV0gzcRW3PfCJ6DyB39d75q8ey9BRYcCAvQD8iLnH
 EbFKPc4hahwW66u7M3eYAFGe49MIUW4ajDU7FIN/D97bloKEpfwWwn5ZYTHwcLZJ
 JnM+bYk0Q5jEGvy8dDxvCKYQ86F9kJHkk+gOiWhzNeq+9Uu97SsKZYjNh7VNCRsm
 i/xtT4fKgvtEb9CdXG+BijO/1qwQi3hSDe09BctqX2VN7gINGB6VgLjLoPXe3u7K
 aPCdCz4HWx4uhgwKpkMtYWnHWEtsHwm3SEUOnFxRAzLiJdzoqSZ6FMgcPDrcRTBm
 gNSI0NXR5RW/9vz4ViOOni0MpTQWkFyg==
Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id 917bdb11
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); 
 Fri, 2 Apr 2021 11:18:15 +0000 (UTC)
Date: Fri, 2 Apr 2021 13:18:05 +0200
From: Julien Lepiller <julien@HIDDEN>
To: =?UTF-8?B?TMOpbw==?= Le Bouter via Bug reports for GNU Guix
 <bug-guix@HIDDEN>
Subject: Re: bug#47562: java-eclipse-jetty-* packages are vulnerable to
 CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY
 others, 4y w/o upgrade)
Message-ID: <20210402131805.3ade4377@HIDDEN>
In-Reply-To: <0fc1caefa7b1dd2b41639a9cc58f7d6da4c1a23d.camel@HIDDEN>
References: <0fc1caefa7b1dd2b41639a9cc58f7d6da4c1a23d.camel@HIDDEN>
X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="MP_/G4GRTE6Ox3D=ogSLsgBpP26"
Received-SPF: pass client-ip=89.234.186.109; envelope-from=julien@HIDDEN;
 helo=lepiller.eu
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
Cc: =?UTF-8?B?TMOpbw==?= Le Bouter <lle-bout@HIDDEN>, 47562 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

--MP_/G4GRTE6Ox3D=ogSLsgBpP26
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Le Fri, 02 Apr 2021 12:37:27 +0200,
L=C3=A9o Le Bouter via Bug reports for GNU Guix <bug-guix@HIDDEN> a =C3=A9=
crit :

> CVE-2021-28165	01.04.21 17:15
> In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and
> 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a
> large invalid TLS frame.
>=20
> CVE-2021-28164	01.04.21 17:15
> In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default
> compliance mode allows requests with URIs that contain %2e or %2e%2e
> segments to access protected resources within the WEB-INF directory.
> For example a request to /context/%2e/WEB-INF/web.xml can retrieve the
> web.xml file. This can reveal sensitive information regarding the
> implementation of a web application.
>=20
> CVE-2021-28163	01.04.21 17:15
> In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and
> 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a
> symlink, the contents of the webapps directory is deployed as a static
> webapp, inadvertently serving the webapps themselves and anything else
> that might be in that directory.
>=20
> The fix is to upgrade to latest version, currently: 9.4.39.v20210325

Hi Guix!

attached is a patch for these security issues. I'm not very happy with
them, because I had to do many things, but when updating 4 yo packages,
it's somewhat expected.

The packages now require junit 5 to run the tests, so I had to disable
them, and dependencies have changed a bit, with the notable addition of
util-ajax. Unfortunately, I cannot update the 9.2.* versions, and
jetty-test-classes fails to build, though it's not needed anymore as
it's only used during tests.

I believe I added these packages initially only because I didn't want
users to mistakenly install the 9.2.* versions that were not the latest
at the time. We might want to update to jetty 11 or figure out how to
build junit 5, which has quite a complex dependency graph, with a few
cycles.

Thanks L=C3=A9o for noticing this!

--MP_/G4GRTE6Ox3D=ogSLsgBpP26
Content-Type: text/x-patch
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename=0001-gnu-java-eclipse-jetty-util-Update-to-9.4.39-securit.patch

From d5e5f91b523fb12f452a28648c67531e362a7637 Mon Sep 17 00:00:00 2001
From: Julien Lepiller <julien@HIDDEN>
Date: Fri, 2 Apr 2021 12:55:16 +0200
Subject: [PATCH] gnu: java-eclipse-jetty-util: Update to 9.4.39 [security
 fixes].

Fixes CVE-2021-28165 - jetty server high CPU when client send data length >
17408, CVE-2021-28164 - Normalize ambiguous URIs and CVE-2021-28163 - Exclude
webapps directory from deployment scan.

* gnu/packages/java.scm (java-eclipse-jetty-util): Update to 9.4.39.
(java-eclipse-jetty-util-ajax): New variable.
(java-eclipse-jetty-util, java-eclipse-jetty-io, java-eclipse-jetty-http)
(java-eclipse-jetty-jmx, java-eclipse-jetty-server)
(java-eclipse-jetty-security, java-eclipse-jetty-servlet)
(java-eclipse-jetty-xml, java-eclipse-jetty-webapp): Disable tests.
[native-inputs]: Remove test dependencies.
---
 gnu/packages/web.scm | 43 ++++++++++++++++++++++++-------------------
 1 file changed, 24 insertions(+), 19 deletions(-)

diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 7bc638ba88..7b0aee3b31 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -6830,18 +6830,19 @@ Web Server.")
 (define-public java-eclipse-jetty-util
   (package
     (name "java-eclipse-jetty-util")
-    (version "9.4.6")
+    (version "9.4.39")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/eclipse/jetty.project/"
-                                  "archive/jetty-" version ".v20170531.tar.gz"))
+                                  "archive/jetty-" version ".v20210325.tar.gz"))
               (sha256
                (base32
-                "0x7kbdvkmgr6kbsmbwiiyv3bb0d6wk25frgvld9cf8540136z9p1"))))
+                "0b4hy4zmdmfbqk9bzmxk7v75y2ysqiappkip4z3hb9lxjvjh0b19"))))
     (build-system ant-build-system)
     (arguments
      `(#:jar-name "eclipse-jetty-util.jar"
        #:source-dir "src/main/java"
+       #:tests? #f; require junit 5
        #:test-exclude
        (list "**/Abstract*.java"
              ;; requires network
@@ -6860,11 +6861,6 @@ Web Server.")
     (inputs
      `(("slf4j" ,java-slf4j-api)
        ("servlet" ,java-javaee-servletapi)))
-    (native-inputs
-     `(("junit" ,java-junit)
-       ("hamcrest" ,java-hamcrest-all)
-       ("perf-helper" ,java-eclipse-jetty-perf-helper)
-       ("test-helper" ,java-eclipse-jetty-test-helper)))
     (home-page "https://www.eclipse.org/jetty/")
     (synopsis "Utility classes for Jetty")
     (description "The Jetty Web Server provides an HTTP server and Servlet
@@ -6925,6 +6921,7 @@ or embedded instantiation.  This package provides utility classes.")
      `(#:jar-name "eclipse-jetty-io.jar"
        #:source-dir "src/main/java"
        #:jdk ,icedtea-8
+       #:tests? #f; require junit 5
        #:test-exclude (list "**/Abstract*.java"
                             ;; Abstract class
                             "**/EndPointTest.java")
@@ -6966,6 +6963,7 @@ or embedded instantiation.  This package provides IO-related utility classes."))
      `(#:jar-name "eclipse-jetty-http.jar"
        #:source-dir "src/main/java"
        #:jdk ,icedtea-8
+       #:tests? #f; require junit 5
        #:phases
        (modify-phases %standard-phases
          (add-before 'configure 'chdir
@@ -7101,9 +7099,6 @@ or embedded instantiation.  This package provides the JMX management.")))
        ("io" ,java-eclipse-jetty-io)
        ("jmx" ,java-eclipse-jetty-jmx)
        ("util" ,java-eclipse-jetty-util)))
-    (native-inputs
-     `(("test-classes" ,java-eclipse-jetty-http-test-classes)
-       ,@(package-native-inputs java-eclipse-jetty-util)))
     (synopsis "Core jetty server artifact")
     (description "The Jetty Web Server provides an HTTP server and Servlet
 container capable of serving static and dynamic content either from a standalone
@@ -7133,6 +7128,7 @@ artifact.")))
      `(#:jar-name "eclipse-jetty-security.jar"
        #:source-dir "src/main/java"
        #:jdk ,icedtea-8
+       #:tests? #f; require junit 5
        #:test-exclude (list "**/ConstraintTest.*") ; This test fails
        #:phases
        (modify-phases %standard-phases
@@ -7146,9 +7142,6 @@ artifact.")))
        ("http" ,java-eclipse-jetty-http)
        ("server" ,java-eclipse-jetty-server)
        ("util" ,java-eclipse-jetty-util)))
-    (native-inputs
-     `(("io" ,java-eclipse-jetty-io)
-       ,@(package-native-inputs java-eclipse-jetty-util)))
     (synopsis "Jetty security infrastructure")
     (description "The Jetty Web Server provides an HTTP server and Servlet
 container capable of serving static and dynamic content either from a standalone
@@ -7169,6 +7162,18 @@ infrastructure")))
      `(("io" ,java-eclipse-jetty-io-9.2)
        ,@(package-native-inputs java-eclipse-jetty-util-9.2)))))
 
+(define-public java-eclipse-jetty-util-ajax
+  (package
+    (inherit java-eclipse-jetty-util)
+    (name "java-eclipse-jetty-util-ajax")
+    (arguments
+     `(#:jar-name "eclipse-jetty-util-ajax.jar"
+       #:source-dir "jetty-util-ajax/src/main/java"
+       #:tests? #f)); require junit 5
+    (inputs
+     `(("java-eclipse-jetty-util" ,java-eclipse-jetty-util)
+       ("java-javaee-servletapi" ,java-javaee-servletapi)))))
+
 (define-public java-eclipse-jetty-servlet
   (package
     (inherit java-eclipse-jetty-util)
@@ -7177,6 +7182,7 @@ infrastructure")))
      `(#:jar-name "eclipse-jetty-servlet.jar"
        #:source-dir "src/main/java"
        #:jdk ,icedtea-8
+       #:tests? #f; require junit 5
        #:phases
        (modify-phases %standard-phases
          (add-before 'configure 'chdir
@@ -7186,8 +7192,8 @@ infrastructure")))
     (inputs
      `(("slf4j" ,java-slf4j-api)
        ("java-javaee-servletapi" ,java-javaee-servletapi)
+       ("java-eclipse-jetty-util-ajax" ,java-eclipse-jetty-util-ajax)
        ("http" ,java-eclipse-jetty-http)
-       ("http-test" ,java-eclipse-jetty-http-test-classes)
        ("io" ,java-eclipse-jetty-io)
        ("jmx" ,java-eclipse-jetty-jmx)
        ("security" ,java-eclipse-jetty-security)
@@ -7277,6 +7283,7 @@ container.")))
      `(#:jar-name "eclipse-jetty-webapp.jar"
        #:source-dir "src/main/java"
        #:jdk ,icedtea-8
+       #:tests? #f; require junit 5
        ;; One test fails
        #:test-exclude (list "**/WebAppContextTest.java")
        #:phases
@@ -7288,14 +7295,12 @@ container.")))
     (inputs
      `(("java-eclipse-jetty-util" ,java-eclipse-jetty-util)
        ("java-eclipse-jetty-http" ,java-eclipse-jetty-http)
+       ("java-eclipse-jetty-io" ,java-eclipse-jetty-io)
        ("java-eclipse-jetty-server" ,java-eclipse-jetty-server)
        ("java-eclipse-jetty-servlet" ,java-eclipse-jetty-servlet)
        ("java-eclipse-jetty-security" ,java-eclipse-jetty-security)
        ("java-eclipse-jetty-xml" ,java-eclipse-jetty-xml)
-       ("java-javaee-servletapi" ,java-javaee-servletapi)))
-    (native-inputs
-     `(("java-eclipse-jetty-io" ,java-eclipse-jetty-io)
-       ,@(package-native-inputs java-eclipse-jetty-util)))))
+       ("java-javaee-servletapi" ,java-javaee-servletapi)))))
 
 (define-public java-eclipse-jetty-webapp-9.2
   (package
-- 
2.31.0


--MP_/G4GRTE6Ox3D=ogSLsgBpP26--




Information forwarded to bug-guix@HIDDEN:
bug#47562; Package guix. Full text available.
Added tag(s) security. Request was from Léo Le Bouter <lle-bout@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 2 Apr 2021 10:37:38 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Apr 02 06:37:38 2021
Received: from localhost ([127.0.0.1]:59231 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lSHBK-0002io-5a
	for submit <at> debbugs.gnu.org; Fri, 02 Apr 2021 06:37:38 -0400
Received: from lists.gnu.org ([209.51.188.17]:59856)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@HIDDEN>) id 1lSHBI-0002ih-SO
 for submit <at> debbugs.gnu.org; Fri, 02 Apr 2021 06:37:37 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:40250)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>)
 id 1lSHBI-0000iz-LH
 for bug-guix@HIDDEN; Fri, 02 Apr 2021 06:37:36 -0400
Received: from mail.zaclys.net ([178.33.93.72]:36513)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>)
 id 1lSHBG-0000bE-HV
 for bug-guix@HIDDEN; Fri, 02 Apr 2021 06:37:36 -0400
Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net
 [78.195.19.20] (may be forged)) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 132AbVan014903
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <bug-guix@HIDDEN>; Fri, 2 Apr 2021 12:37:32 +0200
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 132AbVan014903
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1617359852;
 bh=IIfLUOi1xHbJhpShtb9t0zkGEJKjdUDeY6jYdx/jBFA=;
 h=Subject:From:To:Date:From;
 b=Hg52s0kwGH7UxJ989UzvZyXkoo5iYV9a2gWzgjASoz7iMTXUfO1VXrvkYdynfg0Bt
 Z+0E3Ih4ESWeh3AxbEucQIgC5bZjLIVPBSBdl4CmX/02+EGWJ/mxZF9Yc65sZ0kTns
 IS3dW7lduv0LF1uKyoJOxFERSnMkrLlJtwRCJcUA=
Message-ID: <0fc1caefa7b1dd2b41639a9cc58f7d6da4c1a23d.camel@HIDDEN>
Subject: java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165,
 CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o
 upgrade)
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@HIDDEN>
To: bug-guix@HIDDEN
Date: Fri, 02 Apr 2021 12:37:27 +0200
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-FoU1qwsq70HtaBfdY19n"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@HIDDEN;
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.4 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: CVE-2021-28165 01.04.21 17:15 In Eclipse Jetty 7.2.2 to
 9.4.38, 
 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach
 100% upon receiving a large invalid TLS frame. CVE-2021-28164 01.04.21 17:15
 In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance
 mode allows requests with URIs that contain %2e or %2e%2e segments to access
 protected resou [...] 
 Content analysis details:   (1.4 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
 medium trust [209.51.188.17 listed in list.dnswl.org]
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
 0.0 RCVD_IN_MSPIKE_H4      RBL: Very Good reputation (+4)
 [209.51.188.17 listed in wl.mailspike.net]
 0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
 2.7 MAY_BE_FORGED          Relay IP's reverse DNS does not resolve to IP
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)


--=-FoU1qwsq70HtaBfdY19n
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

CVE-2021-28165	01.04.21 17:15
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and
11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a
large invalid TLS frame.

CVE-2021-28164	01.04.21 17:15
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default
compliance mode allows requests with URIs that contain %2e or %2e%2e
segments to access protected resources within the WEB-INF directory.
For example a request to /context/%2e/WEB-INF/web.xml can retrieve the
web.xml file. This can reveal sensitive information regarding the
implementation of a web application.

CVE-2021-28163	01.04.21 17:15
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and
11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a
symlink, the contents of the webapps directory is deployed as a static
webapp, inadvertently serving the webapps themselves and anything else
that might be in that directory.

The fix is to upgrade to latest version, currently: 9.4.39.v20210325

--=-FoU1qwsq70HtaBfdY19n
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBm8+cACgkQRaix6GvN
EKZPBw/+MydHHxnHDI4rmnhmlKuAw5dq6ZoYMjOY1HN9Cd/D8y1RveWDoQRbCe5U
ziV8psCddjEcnnStCCBcdE2UUi70mqiDwm71aW7H0Ur321R5Uyi1fSq9SwiwxIpQ
0IO4MLj4wLS4WlkzZkKRP2LOaN4rsllM0awf5amuFI23HQMhMp8I4XDB8vAl3ClX
EFAJK+FQqHkmth5JNFmdC6QDDw3gCG/d+qnQwhddFVf8M35SRUIzUBvGFPzaqmCG
573Wp8KqUc+0DakTJ34iCR+497yumnKtlMj86TPCMMmgZchq9ljrmIPv+7gvfYn1
WbT07r2WxXrZ0UBrpAhCsxJZZBaXrKbARMvu42rVtuVQPtT9X82+rrIU0EiagS30
L5gzRRr8e9tDj9oOaOjX9LDaA2UgahAf1I642h9kcbaWeOiC9Qow7JsuUB8JBAdx
aZzW54Z/Lx1/o8PwcbbKxShCNzEzUWpBfFOb/eu0MejXcP9bhmReUlNE8uRPB3V2
Q0M/wj8iS0eJcdS1BLUEDmq+4jpjiFkVn4XGuCHFph1/isXCDaOWMRdKj9vMdcNJ
c8FRtOmLerGu0dFMmMf3CwZi3ko0Im1+pNwH43KWJPSPIy+Yu4PzixQNinXtGDoC
ENhjK9THh5CTgEgUhKktGi6hClMXmSXX9xlAaVZNfqKC0b3nfXk=
=qIqk
-----END PGP SIGNATURE-----

--=-FoU1qwsq70HtaBfdY19n--





Acknowledgement sent to Léo Le Bouter <lle-bout@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#47562; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Fri, 2 Apr 2021 11:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.