GNU bug report logs

#47562 java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade)

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #10 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 2 Apr 2021 11:18:28 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 02 07:18:28 2021
Received: from localhost ([127.0.0.1]:59271 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lSHop-0005qy-Qn
	for submit@debbugs.gnu.org; Fri, 02 Apr 2021 07:18:28 -0400
Received: from lists.gnu.org ([209.51.188.17]:55924)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <julien@lepiller.eu>) id 1lSHoo-0005qr-C9
 for submit@debbugs.gnu.org; Fri, 02 Apr 2021 07:18:26 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:48472)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <julien@lepiller.eu>)
 id 1lSHoo-0004fk-6t
 for bug-guix@gnu.org; Fri, 02 Apr 2021 07:18:26 -0400
Received: from lepiller.eu ([89.234.186.109]:51152)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <julien@lepiller.eu>)
 id 1lSHol-00013h-7y
 for bug-guix@gnu.org; Fri, 02 Apr 2021 07:18:25 -0400
Received: from lepiller.eu (localhost [127.0.0.1])
 by lepiller.eu (OpenSMTPD) with ESMTP id 0f7ebfb0;
 Fri, 2 Apr 2021 11:18:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=lepiller.eu; h=date:from
 :to:cc:subject:message-id:in-reply-to:references:mime-version
 :content-type; s=dkim; bh=qmjfxnp8FCMtVRk8R3+29BC3OkmrkaEQCJOyvr
 9EKd4=; b=Wr1ZpEn8R3eFtEV0gzcRW3PfCJ6DyB39d75q8ey9BRYcCAvQD8iLnH
 EbFKPc4hahwW66u7M3eYAFGe49MIUW4ajDU7FIN/D97bloKEpfwWwn5ZYTHwcLZJ
 JnM+bYk0Q5jEGvy8dDxvCKYQ86F9kJHkk+gOiWhzNeq+9Uu97SsKZYjNh7VNCRsm
 i/xtT4fKgvtEb9CdXG+BijO/1qwQi3hSDe09BctqX2VN7gINGB6VgLjLoPXe3u7K
 aPCdCz4HWx4uhgwKpkMtYWnHWEtsHwm3SEUOnFxRAzLiJdzoqSZ6FMgcPDrcRTBm
 gNSI0NXR5RW/9vz4ViOOni0MpTQWkFyg==
Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id 917bdb11
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); 
 Fri, 2 Apr 2021 11:18:15 +0000 (UTC)
Date: Fri, 2 Apr 2021 13:18:05 +0200
From: Julien Lepiller <julien@lepiller.eu>
To: Léo Le Bouter via Bug reports for GNU Guix
 <bug-guix@gnu.org>
Subject: Re: bug#47562: java-eclipse-jetty-* packages are vulnerable to
 CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY
 others, 4y w/o upgrade)
Message-ID: <20210402131805.3ade4377@tachikoma.lepiller.eu>
In-Reply-To: <0fc1caefa7b1dd2b41639a9cc58f7d6da4c1a23d.camel@zaclys.net>
References: <0fc1caefa7b1dd2b41639a9cc58f7d6da4c1a23d.camel@zaclys.net>
X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="MP_/G4GRTE6Ox3D=ogSLsgBpP26"
Received-SPF: pass client-ip=89.234.186.109; envelope-from=julien@lepiller.eu;
 helo=lepiller.eu
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
Cc: Léo Le Bouter <lle-bout@zaclys.net>, 47562@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

[Message part 1 (text/plain, inline)]
Le Fri, 02 Apr 2021 12:37:27 +0200,
Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> a écrit :

> CVE-2021-28165	01.04.21 17:15
> In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and
> 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a
> large invalid TLS frame.
> 
> CVE-2021-28164	01.04.21 17:15
> In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default
> compliance mode allows requests with URIs that contain %2e or %2e%2e
> segments to access protected resources within the WEB-INF directory.
> For example a request to /context/%2e/WEB-INF/web.xml can retrieve the
> web.xml file. This can reveal sensitive information regarding the
> implementation of a web application.
> 
> CVE-2021-28163	01.04.21 17:15
> In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and
> 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a
> symlink, the contents of the webapps directory is deployed as a static
> webapp, inadvertently serving the webapps themselves and anything else
> that might be in that directory.
> 
> The fix is to upgrade to latest version, currently: 9.4.39.v20210325

Hi Guix!

attached is a patch for these security issues. I'm not very happy with
them, because I had to do many things, but when updating 4 yo packages,
it's somewhat expected.

The packages now require junit 5 to run the tests, so I had to disable
them, and dependencies have changed a bit, with the notable addition of
util-ajax. Unfortunately, I cannot update the 9.2.* versions, and
jetty-test-classes fails to build, though it's not needed anymore as
it's only used during tests.

I believe I added these packages initially only because I didn't want
users to mistakenly install the 9.2.* versions that were not the latest
at the time. We might want to update to jetty 11 or figure out how to
build junit 5, which has quite a complex dependency graph, with a few
cycles.

Thanks Léo for noticing this!

[0001-gnu-java-eclipse-jetty-util-Update-to-9.4.39-securit.patch (text/x-patch, attachment)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Mon Dec 30 18:10:27 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.