GNU bug report logs -
#47562
java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade)
Previous Next
Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>
Date: Fri, 2 Apr 2021 10:38:01 UTC
Severity: normal
Tags: security
Done: Julien Lepiller <julien <at> lepiller.eu>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 47562 in the body.
You can then email your comments to 47562 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#47562; Package
guix.
(Fri, 02 Apr 2021 10:38:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Léo Le Bouter <lle-bout <at> zaclys.net>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Fri, 02 Apr 2021 10:38:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
CVE-2021-28165 01.04.21 17:15
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and
11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a
large invalid TLS frame.
CVE-2021-28164 01.04.21 17:15
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default
compliance mode allows requests with URIs that contain %2e or %2e%2e
segments to access protected resources within the WEB-INF directory.
For example a request to /context/%2e/WEB-INF/web.xml can retrieve the
web.xml file. This can reveal sensitive information regarding the
implementation of a web application.
CVE-2021-28163 01.04.21 17:15
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and
11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a
symlink, the contents of the webapps directory is deployed as a static
webapp, inadvertently serving the webapps themselves and anything else
that might be in that directory.
The fix is to upgrade to latest version, currently: 9.4.39.v20210325
[signature.asc (application/pgp-signature, inline)]
Added tag(s) security.
Request was from
Léo Le Bouter <lle-bout <at> zaclys.net>
to
control <at> debbugs.gnu.org.
(Fri, 02 Apr 2021 10:39:01 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#47562; Package
guix.
(Fri, 02 Apr 2021 11:19:02 GMT)
Full text and
rfc822 format available.
Message #10 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Le Fri, 02 Apr 2021 12:37:27 +0200,
Léo Le Bouter via Bug reports for GNU Guix <bug-guix <at> gnu.org> a écrit :
> CVE-2021-28165 01.04.21 17:15
> In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and
> 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a
> large invalid TLS frame.
>
> CVE-2021-28164 01.04.21 17:15
> In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default
> compliance mode allows requests with URIs that contain %2e or %2e%2e
> segments to access protected resources within the WEB-INF directory.
> For example a request to /context/%2e/WEB-INF/web.xml can retrieve the
> web.xml file. This can reveal sensitive information regarding the
> implementation of a web application.
>
> CVE-2021-28163 01.04.21 17:15
> In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and
> 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a
> symlink, the contents of the webapps directory is deployed as a static
> webapp, inadvertently serving the webapps themselves and anything else
> that might be in that directory.
>
> The fix is to upgrade to latest version, currently: 9.4.39.v20210325
Hi Guix!
attached is a patch for these security issues. I'm not very happy with
them, because I had to do many things, but when updating 4 yo packages,
it's somewhat expected.
The packages now require junit 5 to run the tests, so I had to disable
them, and dependencies have changed a bit, with the notable addition of
util-ajax. Unfortunately, I cannot update the 9.2.* versions, and
jetty-test-classes fails to build, though it's not needed anymore as
it's only used during tests.
I believe I added these packages initially only because I didn't want
users to mistakenly install the 9.2.* versions that were not the latest
at the time. We might want to update to jetty 11 or figure out how to
build junit 5, which has quite a complex dependency graph, with a few
cycles.
Thanks Léo for noticing this!
[0001-gnu-java-eclipse-jetty-util-Update-to-9.4.39-securit.patch (text/x-patch, attachment)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#47562; Package
guix.
(Fri, 02 Apr 2021 11:19:02 GMT)
Full text and
rfc822 format available.
Reply sent
to
Julien Lepiller <julien <at> lepiller.eu>:
You have taken responsibility.
(Mon, 12 Apr 2021 14:42:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Léo Le Bouter <lle-bout <at> zaclys.net>:
bug acknowledged by developer.
(Mon, 12 Apr 2021 14:42:02 GMT)
Full text and
rfc822 format available.
Message #18 received at 47562-done <at> debbugs.gnu.org (full text, mbox):
Pushed as ac3bf4e4da58e985f012d216b2faf36434cdf967.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 11 May 2021 11:24:07 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 344 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.