From unknown Sat Jun 21 10:32:31 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#47562 <47562@debbugs.gnu.org> To: bug#47562 <47562@debbugs.gnu.org> Subject: Status: java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade) Reply-To: bug#47562 <47562@debbugs.gnu.org> Date: Sat, 21 Jun 2025 17:32:31 +0000 retitle 47562 java-eclipse-jetty-* packages are vulnerable to CVE-2021-2816= 5, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upg= rade) reassign 47562 guix submitter 47562 L=C3=A9o Le Bouter severity 47562 normal tag 47562 security thanks From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 02 06:37:38 2021 Received: (at submit) by debbugs.gnu.org; 2 Apr 2021 10:37:38 +0000 Received: from localhost ([127.0.0.1]:59231 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSHBK-0002io-5a for submit@debbugs.gnu.org; Fri, 02 Apr 2021 06:37:38 -0400 Received: from lists.gnu.org ([209.51.188.17]:59856) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSHBI-0002ih-SO for submit@debbugs.gnu.org; Fri, 02 Apr 2021 06:37:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40250) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSHBI-0000iz-LH for bug-guix@gnu.org; Fri, 02 Apr 2021 06:37:36 -0400 Received: from mail.zaclys.net ([178.33.93.72]:36513) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSHBG-0000bE-HV for bug-guix@gnu.org; Fri, 02 Apr 2021 06:37:36 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 132AbVan014903 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 2 Apr 2021 12:37:32 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 132AbVan014903 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617359852; bh=IIfLUOi1xHbJhpShtb9t0zkGEJKjdUDeY6jYdx/jBFA=; h=Subject:From:To:Date:From; b=Hg52s0kwGH7UxJ989UzvZyXkoo5iYV9a2gWzgjASoz7iMTXUfO1VXrvkYdynfg0Bt Z+0E3Ih4ESWeh3AxbEucQIgC5bZjLIVPBSBdl4CmX/02+EGWJ/mxZF9Yc65sZ0kTns IS3dW7lduv0LF1uKyoJOxFERSnMkrLlJtwRCJcUA= Message-ID: <0fc1caefa7b1dd2b41639a9cc58f7d6da4c1a23d.camel@zaclys.net> Subject: java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade) From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: bug-guix@gnu.org Date: Fri, 02 Apr 2021 12:37:27 +0200 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-FoU1qwsq70HtaBfdY19n" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.4 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: CVE-2021-28165 01.04.21 17:15 In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. CVE-2021-28164 01.04.21 17:15 In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resou [...] Content analysis details: (1.4 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [209.51.188.17 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [209.51.188.17 listed in wl.mailspike.net] 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 2.7 MAY_BE_FORGED Relay IP's reverse DNS does not resolve to IP X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --=-FoU1qwsq70HtaBfdY19n Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable CVE-2021-28165 01.04.21 17:15 In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. CVE-2021-28164 01.04.21 17:15 In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. CVE-2021-28163 01.04.21 17:15 In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory. The fix is to upgrade to latest version, currently: 9.4.39.v20210325 --=-FoU1qwsq70HtaBfdY19n Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBm8+cACgkQRaix6GvN EKZPBw/+MydHHxnHDI4rmnhmlKuAw5dq6ZoYMjOY1HN9Cd/D8y1RveWDoQRbCe5U ziV8psCddjEcnnStCCBcdE2UUi70mqiDwm71aW7H0Ur321R5Uyi1fSq9SwiwxIpQ 0IO4MLj4wLS4WlkzZkKRP2LOaN4rsllM0awf5amuFI23HQMhMp8I4XDB8vAl3ClX EFAJK+FQqHkmth5JNFmdC6QDDw3gCG/d+qnQwhddFVf8M35SRUIzUBvGFPzaqmCG 573Wp8KqUc+0DakTJ34iCR+497yumnKtlMj86TPCMMmgZchq9ljrmIPv+7gvfYn1 WbT07r2WxXrZ0UBrpAhCsxJZZBaXrKbARMvu42rVtuVQPtT9X82+rrIU0EiagS30 L5gzRRr8e9tDj9oOaOjX9LDaA2UgahAf1I642h9kcbaWeOiC9Qow7JsuUB8JBAdx aZzW54Z/Lx1/o8PwcbbKxShCNzEzUWpBfFOb/eu0MejXcP9bhmReUlNE8uRPB3V2 Q0M/wj8iS0eJcdS1BLUEDmq+4jpjiFkVn4XGuCHFph1/isXCDaOWMRdKj9vMdcNJ c8FRtOmLerGu0dFMmMf3CwZi3ko0Im1+pNwH43KWJPSPIy+Yu4PzixQNinXtGDoC ENhjK9THh5CTgEgUhKktGi6hClMXmSXX9xlAaVZNfqKC0b3nfXk= =qIqk -----END PGP SIGNATURE----- --=-FoU1qwsq70HtaBfdY19n-- From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 02 06:38:37 2021 Received: (at control) by debbugs.gnu.org; 2 Apr 2021 10:38:37 +0000 Received: from localhost ([127.0.0.1]:59244 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSHCG-0002lG-Rc for submit@debbugs.gnu.org; Fri, 02 Apr 2021 06:38:37 -0400 Received: from mail.zaclys.net ([178.33.93.72]:38527) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSHCF-0002l2-9I for control@debbugs.gnu.org; Fri, 02 Apr 2021 06:38:35 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 132AcTaL014977 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 2 Apr 2021 12:38:29 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 132AcTaL014977 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617359909; bh=J2xfN/roBmz33OPIv+LgIAQtQrgeSOGF3cffXj6VgZU=; h=Subject:From:To:Date:From; b=Z9I0qmAEnToTAa+7mOguiCwQZ7aH6uXatSUsSq8gq+Z1IAiSaSJTj7VEK+ZW8eDV3 0imBJuS8IJFVNjOmWmS6JfH6Os0D9xGsJEeYlrPzaqreVgpPmdaXs6Vj3G2F04mAxV LFEY4suv4UsQrL62sxqHtk1h4GInf8EBKTu6MK6s= Message-ID: <80f09be2c4e04dd5b685fca546d6de5c3caaad4e.camel@zaclys.net> Subject: From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: control@debbugs.gnu.org Date: Fri, 02 Apr 2021 12:38:29 +0200 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-aW2TYoREvLMkMOzAt1r2" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: tags 47562 + security quit Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 2.0 BLANK_SUBJECT Subject is present but empty X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) --=-aW2TYoREvLMkMOzAt1r2 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable tags 47562 + security quit --=-aW2TYoREvLMkMOzAt1r2 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBm9CUACgkQRaix6GvN EKaPZg//QJ6IflV0WWhPrCLPbRvFuKe8Z4gBkdelS5B0aW9N5TfIB6NoGa+CpMu1 lvrlTgFTQFooGUm2r7sZono52NSSXbG0cdMQM8SSN1ht26z4GhbH/wzsNjQWXuQs U4AtcTOKp6Y+6RQl3JuGyRz/iIZN8A1NyRerDnz0OJCCdRsJby2HwmK5Hg4ebM4s pKylWztXgU1AoOa5qT7VIf5u+1HHda02BeapZfDWVmojjz0sZX1Eu5lcbCZwZaG2 aVFwvPxUIOS0FpIdoA0X2qNnBrK4zHKaegkBKk6CQ0OkPUZ7IxjZwKjHrPl8PHRx Jcvis6YodowTXrLQWIJZJWanNMI8hcodVKbFJLBwLib4eIXQLxp5LkJ/Hi7SEX0h bZ8O+wFSbAJG2djwOmthvombLZ9QN+4lqdKBJfdKv2C2UW8CjlRGl0FnQTl1Wo1V MugnIublRWGgzGaz46VYG7PEnWaJG8GuCXVrEKNXv/hN7RZtkihkrYCo3IS6RAGU /agnsXOAEWtwF/VMCfVzLvfggIvpVwtGa8GdpsL8XK655wvwiz5cVqLmLOo0qM23 RcFnuBsgacca2Wijlsr24Eb2cvRBTR4ncuoWWXE4dpXVrXh4e6oYba7CGLPdOGEu UNAEVHZ0UQMYztIQgGkJmPBugZgvtrpVSUATkK6gZlCqbjim58g= =NetN -----END PGP SIGNATURE----- --=-aW2TYoREvLMkMOzAt1r2-- From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 02 07:18:28 2021 Received: (at submit) by debbugs.gnu.org; 2 Apr 2021 11:18:28 +0000 Received: from localhost ([127.0.0.1]:59271 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSHop-0005qy-Qn for submit@debbugs.gnu.org; Fri, 02 Apr 2021 07:18:28 -0400 Received: from lists.gnu.org ([209.51.188.17]:55924) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSHoo-0005qr-C9 for submit@debbugs.gnu.org; Fri, 02 Apr 2021 07:18:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48472) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSHoo-0004fk-6t for bug-guix@gnu.org; Fri, 02 Apr 2021 07:18:26 -0400 Received: from lepiller.eu ([89.234.186.109]:51152) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSHol-00013h-7y for bug-guix@gnu.org; Fri, 02 Apr 2021 07:18:25 -0400 Received: from lepiller.eu (localhost [127.0.0.1]) by lepiller.eu (OpenSMTPD) with ESMTP id 0f7ebfb0; Fri, 2 Apr 2021 11:18:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=lepiller.eu; h=date:from :to:cc:subject:message-id:in-reply-to:references:mime-version :content-type; s=dkim; bh=qmjfxnp8FCMtVRk8R3+29BC3OkmrkaEQCJOyvr 9EKd4=; b=Wr1ZpEn8R3eFtEV0gzcRW3PfCJ6DyB39d75q8ey9BRYcCAvQD8iLnH EbFKPc4hahwW66u7M3eYAFGe49MIUW4ajDU7FIN/D97bloKEpfwWwn5ZYTHwcLZJ JnM+bYk0Q5jEGvy8dDxvCKYQ86F9kJHkk+gOiWhzNeq+9Uu97SsKZYjNh7VNCRsm i/xtT4fKgvtEb9CdXG+BijO/1qwQi3hSDe09BctqX2VN7gINGB6VgLjLoPXe3u7K aPCdCz4HWx4uhgwKpkMtYWnHWEtsHwm3SEUOnFxRAzLiJdzoqSZ6FMgcPDrcRTBm gNSI0NXR5RW/9vz4ViOOni0MpTQWkFyg== Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id 917bdb11 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Fri, 2 Apr 2021 11:18:15 +0000 (UTC) Date: Fri, 2 Apr 2021 13:18:05 +0200 From: Julien Lepiller To: =?UTF-8?B?TMOpbw==?= Le Bouter via Bug reports for GNU Guix Subject: Re: bug#47562: java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade) Message-ID: <20210402131805.3ade4377@tachikoma.lepiller.eu> In-Reply-To: <0fc1caefa7b1dd2b41639a9cc58f7d6da4c1a23d.camel@zaclys.net> References: <0fc1caefa7b1dd2b41639a9cc58f7d6da4c1a23d.camel@zaclys.net> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="MP_/G4GRTE6Ox3D=ogSLsgBpP26" Received-SPF: pass client-ip=89.234.186.109; envelope-from=julien@lepiller.eu; helo=lepiller.eu X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit Cc: =?UTF-8?B?TMOpbw==?= Le Bouter , 47562@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --MP_/G4GRTE6Ox3D=ogSLsgBpP26 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Le Fri, 02 Apr 2021 12:37:27 +0200, L=C3=A9o Le Bouter via Bug reports for GNU Guix a =C3=A9= crit : > CVE-2021-28165 01.04.21 17:15 > In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and > 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a > large invalid TLS frame. >=20 > CVE-2021-28164 01.04.21 17:15 > In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default > compliance mode allows requests with URIs that contain %2e or %2e%2e > segments to access protected resources within the WEB-INF directory. > For example a request to /context/%2e/WEB-INF/web.xml can retrieve the > web.xml file. This can reveal sensitive information regarding the > implementation of a web application. >=20 > CVE-2021-28163 01.04.21 17:15 > In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and > 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a > symlink, the contents of the webapps directory is deployed as a static > webapp, inadvertently serving the webapps themselves and anything else > that might be in that directory. >=20 > The fix is to upgrade to latest version, currently: 9.4.39.v20210325 Hi Guix! attached is a patch for these security issues. I'm not very happy with them, because I had to do many things, but when updating 4 yo packages, it's somewhat expected. The packages now require junit 5 to run the tests, so I had to disable them, and dependencies have changed a bit, with the notable addition of util-ajax. Unfortunately, I cannot update the 9.2.* versions, and jetty-test-classes fails to build, though it's not needed anymore as it's only used during tests. I believe I added these packages initially only because I didn't want users to mistakenly install the 9.2.* versions that were not the latest at the time. We might want to update to jetty 11 or figure out how to build junit 5, which has quite a complex dependency graph, with a few cycles. Thanks L=C3=A9o for noticing this! --MP_/G4GRTE6Ox3D=ogSLsgBpP26 Content-Type: text/x-patch Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=0001-gnu-java-eclipse-jetty-util-Update-to-9.4.39-securit.patch >From d5e5f91b523fb12f452a28648c67531e362a7637 Mon Sep 17 00:00:00 2001 From: Julien Lepiller Date: Fri, 2 Apr 2021 12:55:16 +0200 Subject: [PATCH] gnu: java-eclipse-jetty-util: Update to 9.4.39 [security fixes]. Fixes CVE-2021-28165 - jetty server high CPU when client send data length > 17408, CVE-2021-28164 - Normalize ambiguous URIs and CVE-2021-28163 - Exclude webapps directory from deployment scan. * gnu/packages/java.scm (java-eclipse-jetty-util): Update to 9.4.39. (java-eclipse-jetty-util-ajax): New variable. (java-eclipse-jetty-util, java-eclipse-jetty-io, java-eclipse-jetty-http) (java-eclipse-jetty-jmx, java-eclipse-jetty-server) (java-eclipse-jetty-security, java-eclipse-jetty-servlet) (java-eclipse-jetty-xml, java-eclipse-jetty-webapp): Disable tests. [native-inputs]: Remove test dependencies. --- gnu/packages/web.scm | 43 ++++++++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 19 deletions(-) diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index 7bc638ba88..7b0aee3b31 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -6830,18 +6830,19 @@ Web Server.") (define-public java-eclipse-jetty-util (package (name "java-eclipse-jetty-util") - (version "9.4.6") + (version "9.4.39") (source (origin (method url-fetch) (uri (string-append "https://github.com/eclipse/jetty.project/" - "archive/jetty-" version ".v20170531.tar.gz")) + "archive/jetty-" version ".v20210325.tar.gz")) (sha256 (base32 - "0x7kbdvkmgr6kbsmbwiiyv3bb0d6wk25frgvld9cf8540136z9p1")))) + "0b4hy4zmdmfbqk9bzmxk7v75y2ysqiappkip4z3hb9lxjvjh0b19")))) (build-system ant-build-system) (arguments `(#:jar-name "eclipse-jetty-util.jar" #:source-dir "src/main/java" + #:tests? #f; require junit 5 #:test-exclude (list "**/Abstract*.java" ;; requires network @@ -6860,11 +6861,6 @@ Web Server.") (inputs `(("slf4j" ,java-slf4j-api) ("servlet" ,java-javaee-servletapi))) - (native-inputs - `(("junit" ,java-junit) - ("hamcrest" ,java-hamcrest-all) - ("perf-helper" ,java-eclipse-jetty-perf-helper) - ("test-helper" ,java-eclipse-jetty-test-helper))) (home-page "https://www.eclipse.org/jetty/") (synopsis "Utility classes for Jetty") (description "The Jetty Web Server provides an HTTP server and Servlet @@ -6925,6 +6921,7 @@ or embedded instantiation. This package provides utility classes.") `(#:jar-name "eclipse-jetty-io.jar" #:source-dir "src/main/java" #:jdk ,icedtea-8 + #:tests? #f; require junit 5 #:test-exclude (list "**/Abstract*.java" ;; Abstract class "**/EndPointTest.java") @@ -6966,6 +6963,7 @@ or embedded instantiation. This package provides IO-related utility classes.")) `(#:jar-name "eclipse-jetty-http.jar" #:source-dir "src/main/java" #:jdk ,icedtea-8 + #:tests? #f; require junit 5 #:phases (modify-phases %standard-phases (add-before 'configure 'chdir @@ -7101,9 +7099,6 @@ or embedded instantiation. This package provides the JMX management."))) ("io" ,java-eclipse-jetty-io) ("jmx" ,java-eclipse-jetty-jmx) ("util" ,java-eclipse-jetty-util))) - (native-inputs - `(("test-classes" ,java-eclipse-jetty-http-test-classes) - ,@(package-native-inputs java-eclipse-jetty-util))) (synopsis "Core jetty server artifact") (description "The Jetty Web Server provides an HTTP server and Servlet container capable of serving static and dynamic content either from a standalone @@ -7133,6 +7128,7 @@ artifact."))) `(#:jar-name "eclipse-jetty-security.jar" #:source-dir "src/main/java" #:jdk ,icedtea-8 + #:tests? #f; require junit 5 #:test-exclude (list "**/ConstraintTest.*") ; This test fails #:phases (modify-phases %standard-phases @@ -7146,9 +7142,6 @@ artifact."))) ("http" ,java-eclipse-jetty-http) ("server" ,java-eclipse-jetty-server) ("util" ,java-eclipse-jetty-util))) - (native-inputs - `(("io" ,java-eclipse-jetty-io) - ,@(package-native-inputs java-eclipse-jetty-util))) (synopsis "Jetty security infrastructure") (description "The Jetty Web Server provides an HTTP server and Servlet container capable of serving static and dynamic content either from a standalone @@ -7169,6 +7162,18 @@ infrastructure"))) `(("io" ,java-eclipse-jetty-io-9.2) ,@(package-native-inputs java-eclipse-jetty-util-9.2))))) +(define-public java-eclipse-jetty-util-ajax + (package + (inherit java-eclipse-jetty-util) + (name "java-eclipse-jetty-util-ajax") + (arguments + `(#:jar-name "eclipse-jetty-util-ajax.jar" + #:source-dir "jetty-util-ajax/src/main/java" + #:tests? #f)); require junit 5 + (inputs + `(("java-eclipse-jetty-util" ,java-eclipse-jetty-util) + ("java-javaee-servletapi" ,java-javaee-servletapi))))) + (define-public java-eclipse-jetty-servlet (package (inherit java-eclipse-jetty-util) @@ -7177,6 +7182,7 @@ infrastructure"))) `(#:jar-name "eclipse-jetty-servlet.jar" #:source-dir "src/main/java" #:jdk ,icedtea-8 + #:tests? #f; require junit 5 #:phases (modify-phases %standard-phases (add-before 'configure 'chdir @@ -7186,8 +7192,8 @@ infrastructure"))) (inputs `(("slf4j" ,java-slf4j-api) ("java-javaee-servletapi" ,java-javaee-servletapi) + ("java-eclipse-jetty-util-ajax" ,java-eclipse-jetty-util-ajax) ("http" ,java-eclipse-jetty-http) - ("http-test" ,java-eclipse-jetty-http-test-classes) ("io" ,java-eclipse-jetty-io) ("jmx" ,java-eclipse-jetty-jmx) ("security" ,java-eclipse-jetty-security) @@ -7277,6 +7283,7 @@ container."))) `(#:jar-name "eclipse-jetty-webapp.jar" #:source-dir "src/main/java" #:jdk ,icedtea-8 + #:tests? #f; require junit 5 ;; One test fails #:test-exclude (list "**/WebAppContextTest.java") #:phases @@ -7288,14 +7295,12 @@ container."))) (inputs `(("java-eclipse-jetty-util" ,java-eclipse-jetty-util) ("java-eclipse-jetty-http" ,java-eclipse-jetty-http) + ("java-eclipse-jetty-io" ,java-eclipse-jetty-io) ("java-eclipse-jetty-server" ,java-eclipse-jetty-server) ("java-eclipse-jetty-servlet" ,java-eclipse-jetty-servlet) ("java-eclipse-jetty-security" ,java-eclipse-jetty-security) ("java-eclipse-jetty-xml" ,java-eclipse-jetty-xml) - ("java-javaee-servletapi" ,java-javaee-servletapi))) - (native-inputs - `(("java-eclipse-jetty-io" ,java-eclipse-jetty-io) - ,@(package-native-inputs java-eclipse-jetty-util))))) + ("java-javaee-servletapi" ,java-javaee-servletapi))))) (define-public java-eclipse-jetty-webapp-9.2 (package -- 2.31.0 --MP_/G4GRTE6Ox3D=ogSLsgBpP26-- From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 12 10:41:54 2021 Received: (at 47562-done) by debbugs.gnu.org; 12 Apr 2021 14:41:55 +0000 Received: from localhost ([127.0.0.1]:57685 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lVxlC-000111-N4 for submit@debbugs.gnu.org; Mon, 12 Apr 2021 10:41:54 -0400 Received: from lepiller.eu ([89.234.186.109]:34044) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lVxlA-00010n-8d for 47562-done@debbugs.gnu.org; Mon, 12 Apr 2021 10:41:53 -0400 Received: from lepiller.eu (localhost [127.0.0.1]) by lepiller.eu (OpenSMTPD) with ESMTP id 89b2e3eb for <47562-done@debbugs.gnu.org>; Mon, 12 Apr 2021 14:41:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=lepiller.eu; h=date:from :to:subject:message-id:mime-version:content-type :content-transfer-encoding; s=dkim; bh=q9nTbOSyrhwyfMwHbbnE6RIFA ifMBd2Vwgg4NicOz9E=; b=Et2oJgTacXg9jCRnCN6SWGRBcvq6k0DfacotIlX8o jG29yo2PblRGP2QWmq8FjGDiBh7SndsWZ+deI2KwmbQCLJPwCoYsGo/N+jldD62o x0UbqJ1wAh+SM+xfSisJyzcSc/xaRrLUGIwwClnjMAh8JEO/KL0gdBgh9MYXBDZf e9CYE1TFrXUe0rcPz3xPf1/etRWIdxGY5lW0psXVXLtk/2v5E8VVM6D8ufk0bNcn uVjkm1ZDgAo6rJ9O23HPopGLi3W2U1wDktrOysDsVc1oCJMhh3KFfN8wSNp8CRxn ejoIm8IWldmY0w2ZYRBYrtFFmeKc6aGVylDtQTHl76CzQ== Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id 79710020 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for <47562-done@debbugs.gnu.org>; Mon, 12 Apr 2021 14:41:49 +0000 (UTC) Date: Mon, 12 Apr 2021 16:41:45 +0200 From: Julien Lepiller To: 47562-done@debbugs.gnu.org Subject: Re: java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade) Message-ID: <20210412164138.6d23eed8@tachikoma.lepiller.eu> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 47562-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Pushed as ac3bf4e4da58e985f012d216b2faf36434cdf967. From unknown Sat Jun 21 10:32:31 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Tue, 11 May 2021 11:24:07 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator