GNU bug report logs - #47562
java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade)

Previous Next

Package: guix;

Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>

Date: Fri, 2 Apr 2021 10:38:01 UTC

Severity: normal

Tags: security

Done: Julien Lepiller <julien <at> lepiller.eu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Léo Le Bouter <lle-bout <at> zaclys.net>
Subject: bug#47562: closed (Re: java-eclipse-jetty-* packages are
 vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also
 probably MANY others, 4y w/o upgrade))
Date: Mon, 12 Apr 2021 14:42:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#47562: java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade)

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 47562 <at> debbugs.gnu.org.

-- 
47562: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=47562
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Julien Lepiller <julien <at> lepiller.eu>
To: 47562-done <at> debbugs.gnu.org
Subject: Re: java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165,
 CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o
 upgrade)
Date: Mon, 12 Apr 2021 16:41:45 +0200

Pushed as ac3bf4e4da58e985f012d216b2faf36434cdf967.


[Message part 3 (message/rfc822, inline)]
From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: bug-guix <at> gnu.org
Subject: java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165,
 CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o
 upgrade)
Date: Fri, 02 Apr 2021 12:37:27 +0200

[Message part 4 (text/plain, inline)]
CVE-2021-28165	01.04.21 17:15
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and
11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a
large invalid TLS frame.

CVE-2021-28164	01.04.21 17:15
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default
compliance mode allows requests with URIs that contain %2e or %2e%2e
segments to access protected resources within the WEB-INF directory.
For example a request to /context/%2e/WEB-INF/web.xml can retrieve the
web.xml file. This can reveal sensitive information regarding the
implementation of a web application.

CVE-2021-28163	01.04.21 17:15
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and
11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a
symlink, the contents of the webapps directory is deployed as a static
webapp, inadvertently serving the webapps themselves and anything else
that might be in that directory.

The fix is to upgrade to latest version, currently: 9.4.39.v20210325

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 4 years and 39 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.