bug#47562: closed (java-eclipse-jetty-* packages are vulnerable to CVE-2

emacs-bug-tracker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#47562: closed (java-eclipse-jetty-* packages are vulnerable to CVE-2

From:	GNU bug Tracking System
Subject:	bug#47562: closed (java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade))
Date:	Mon, 12 Apr 2021 14:42:02 +0000

Your message dated Mon, 12 Apr 2021 16:41:45 +0200
with message-id <20210412164138.6d23eed8@tachikoma.lepiller.eu>
and subject line Re: java-eclipse-jetty-* packages are vulnerable to 
CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 
4y w/o upgrade)
has caused the debbugs.gnu.org bug report #47562,
regarding java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, 
CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade)
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs@gnu.org.)


-- 
47562: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=47562
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

--- Begin Message --- Subject: java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade) Date: Fri, 02 Apr 2021 12:37:27 +0200 User-agent: Evolution 3.34.2

CVE-2021-28165  01.04.21 17:15
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and
11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a
large invalid TLS frame.

CVE-2021-28164  01.04.21 17:15
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default
compliance mode allows requests with URIs that contain %2e or %2e%2e
segments to access protected resources within the WEB-INF directory.
For example a request to /context/%2e/WEB-INF/web.xml can retrieve the
web.xml file. This can reveal sensitive information regarding the
implementation of a web application.

CVE-2021-28163  01.04.21 17:15
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and
11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a
symlink, the contents of the webapps directory is deployed as a static
webapp, inadvertently serving the webapps themselves and anything else
that might be in that directory.

The fix is to upgrade to latest version, currently: 9.4.39.v20210325

signature.asc
Description: This is a digitally signed message part

--- End Message ---

--- Begin Message --- Subject: Re: java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade) Date: Mon, 12 Apr 2021 16:41:45 +0200
Pushed as ac3bf4e4da58e985f012d216b2faf36434cdf967.
--- End Message ---

[Prev in Thread]

Current Thread

[Next in Thread]

bug#47562: closed (java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade)), GNU bug Tracking System <=

Prev by Date: bug#47517: closed ([PATCH] gnu: nginx: Enable stream module)
Next by Date: bug#47728: closed ([PATCH] gnu: Add sbcl-bodge-queue.)
Previous by thread: bug#47517: closed ([PATCH] gnu: nginx: Enable stream module)
Next by thread: bug#47728: closed ([PATCH] gnu: Add sbcl-bodge-queue.)
Index(es):
- Date
- Thread