Acknowledgement sent
to Léo Le Bouter <lle-bout@zaclys.net>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org.
(Fri, 02 Apr 2021 10:38:02 GMT) (full text, mbox, link).
CVE-2021-28165 01.04.21 17:15
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and
11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a
large invalid TLS frame.
CVE-2021-28164 01.04.21 17:15
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default
compliance mode allows requests with URIs that contain %2e or %2e%2e
segments to access protected resources within the WEB-INF directory.
For example a request to /context/%2e/WEB-INF/web.xml can retrieve the
web.xml file. This can reveal sensitive information regarding the
implementation of a web application.
CVE-2021-28163 01.04.21 17:15
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and
11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a
symlink, the contents of the webapps directory is deployed as a static
webapp, inadvertently serving the webapps themselves and anything else
that might be in that directory.
The fix is to upgrade to latest version, currently: 9.4.39.v20210325
To: Léo Le Bouter via Bug reports for GNU Guix
<bug-guix@gnu.org>
Cc: Léo Le Bouter <lle-bout@zaclys.net>, 47562@debbugs.gnu.org
Subject: Re: bug#47562: java-eclipse-jetty-* packages are vulnerable to
CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY
others, 4y w/o upgrade)
Le Fri, 02 Apr 2021 12:37:27 +0200,
Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> a écrit :
> CVE-2021-28165 01.04.21 17:15
> In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and
> 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a
> large invalid TLS frame.
>
> CVE-2021-28164 01.04.21 17:15
> In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default
> compliance mode allows requests with URIs that contain %2e or %2e%2e
> segments to access protected resources within the WEB-INF directory.
> For example a request to /context/%2e/WEB-INF/web.xml can retrieve the
> web.xml file. This can reveal sensitive information regarding the
> implementation of a web application.
>
> CVE-2021-28163 01.04.21 17:15
> In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and
> 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a
> symlink, the contents of the webapps directory is deployed as a static
> webapp, inadvertently serving the webapps themselves and anything else
> that might be in that directory.
>
> The fix is to upgrade to latest version, currently: 9.4.39.v20210325
Hi Guix!
attached is a patch for these security issues. I'm not very happy with
them, because I had to do many things, but when updating 4 yo packages,
it's somewhat expected.
The packages now require junit 5 to run the tests, so I had to disable
them, and dependencies have changed a bit, with the notable addition of
util-ajax. Unfortunately, I cannot update the 9.2.* versions, and
jetty-test-classes fails to build, though it's not needed anymore as
it's only used during tests.
I believe I added these packages initially only because I didn't want
users to mistakenly install the 9.2.* versions that were not the latest
at the time. We might want to update to jetty 11 or figure out how to
build junit 5, which has quite a complex dependency graph, with a few
cycles.
Thanks Léo for noticing this!
Subject: Re: java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165,
CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o
upgrade)
Date: Mon, 12 Apr 2021 16:41:45 +0200
Pushed as ac3bf4e4da58e985f012d216b2faf36434cdf967.
bug archived.
Request was from Debbugs Internal Request <help-debbugs@gnu.org>
to internal_control@debbugs.gnu.org.
(Tue, 11 May 2021 11:24:07 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the
GNU Public License version 2. The current version can be
obtained from https://bugs.debian.org/debbugs-source/.