https://bugzilla.redhat.com/show_bug.cgi?id=1719748
Bug ID: 1719748
Summary: jetty-9.4.19.v20190610 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: jetty
Keywords: FutureFeature, Triaged
Assignee: mat.booth(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: eclipse-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jjohnstn(a)redhat.com, krzysztof.daniel(a)gmail.com,
mat.booth(a)redhat.com, mizdebsk(a)redhat.com,
sochotni(a)redhat.com
Target Milestone: ---
Classification: Fedora
Latest upstream release: 9.4.19.v20190610
Current version/release in rawhide: 9.4.18-2.v20190429.fc31
URL: http://www.eclipse.org/jetty
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/1447/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1945712
Bug ID: 1945712
Summary: CVE-2021-28164 jetty: Ambiguous paths can access
WEB-INF
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: aileenc(a)redhat.com, akoufoud(a)redhat.com,
alazarot(a)redhat.com, almorale(a)redhat.com,
anstephe(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, dbecker(a)redhat.com,
drieden(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eparis(a)redhat.com, eric.wittmann(a)redhat.com,
etirelli(a)redhat.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, hbraun(a)redhat.com,
ibek(a)redhat.com, janstey(a)redhat.com,
java-maint(a)redhat.com, jburrell(a)redhat.com,
jjohnstn(a)redhat.com, jjoyce(a)redhat.com,
jochrist(a)redhat.com, jokerman(a)redhat.com,
jross(a)redhat.com, jschluet(a)redhat.com,
jstastny(a)redhat.com, jwon(a)redhat.com,
krathod(a)redhat.com, krzysztof.daniel(a)gmail.com,
kverlaen(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com,
mat.booth(a)gmail.com, mburns(a)redhat.com,
mizdebsk(a)redhat.com, mkolesni(a)redhat.com,
mnovotny(a)redhat.com, nstielau(a)redhat.com,
pantinor(a)redhat.com, pjindal(a)redhat.com,
rrajasek(a)redhat.com, sclewis(a)redhat.com,
scohen(a)redhat.com, slinaber(a)redhat.com,
sochotni(a)redhat.com, sponnaga(a)redhat.com,
swoodman(a)redhat.com, tzimanyi(a)redhat.com
Target Milestone: ---
Classification: Other
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance
mode allows requests with URIs that contain %2e or %2e%2e segments to access
protected resources within the WEB-INF directory. For example a request to
/context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal
sensitive information regarding the implementation of a web application.
References:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1945714
Bug ID: 1945714
Summary: CVE-2021-28165 jetty: Resource exhaustion when
receiving an invalid large TLS frame
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: aileenc(a)redhat.com, akoufoud(a)redhat.com,
alazarot(a)redhat.com, almorale(a)redhat.com,
anstephe(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, dbecker(a)redhat.com,
drieden(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eparis(a)redhat.com, eric.wittmann(a)redhat.com,
etirelli(a)redhat.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, hbraun(a)redhat.com,
ibek(a)redhat.com, janstey(a)redhat.com,
java-maint(a)redhat.com, jburrell(a)redhat.com,
jjohnstn(a)redhat.com, jjoyce(a)redhat.com,
jochrist(a)redhat.com, jokerman(a)redhat.com,
jross(a)redhat.com, jschluet(a)redhat.com,
jstastny(a)redhat.com, jwon(a)redhat.com,
krathod(a)redhat.com, krzysztof.daniel(a)gmail.com,
kverlaen(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com,
mat.booth(a)gmail.com, mburns(a)redhat.com,
mizdebsk(a)redhat.com, mkolesni(a)redhat.com,
mnovotny(a)redhat.com, nstielau(a)redhat.com,
pantinor(a)redhat.com, pjindal(a)redhat.com,
rrajasek(a)redhat.com, sclewis(a)redhat.com,
scohen(a)redhat.com, slinaber(a)redhat.com,
sochotni(a)redhat.com, sponnaga(a)redhat.com,
swoodman(a)redhat.com, tzimanyi(a)redhat.com
Target Milestone: ---
Classification: Other
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to
11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
References:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1945710
Bug ID: 1945710
Summary: CVE-2021-28163 jetty: Symlink directory exposes webapp
directory contents
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: aileenc(a)redhat.com, akoufoud(a)redhat.com,
alazarot(a)redhat.com, almorale(a)redhat.com,
anstephe(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, dbecker(a)redhat.com,
drieden(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eparis(a)redhat.com, eric.wittmann(a)redhat.com,
etirelli(a)redhat.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, hbraun(a)redhat.com,
ibek(a)redhat.com, janstey(a)redhat.com,
java-maint(a)redhat.com, jburrell(a)redhat.com,
jjohnstn(a)redhat.com, jjoyce(a)redhat.com,
jochrist(a)redhat.com, jokerman(a)redhat.com,
jross(a)redhat.com, jschluet(a)redhat.com,
jstastny(a)redhat.com, jwon(a)redhat.com,
krathod(a)redhat.com, krzysztof.daniel(a)gmail.com,
kverlaen(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com,
mat.booth(a)gmail.com, mburns(a)redhat.com,
mizdebsk(a)redhat.com, mkolesni(a)redhat.com,
mnovotny(a)redhat.com, nstielau(a)redhat.com,
pantinor(a)redhat.com, pjindal(a)redhat.com,
rrajasek(a)redhat.com, sclewis(a)redhat.com,
scohen(a)redhat.com, slinaber(a)redhat.com,
sochotni(a)redhat.com, sponnaga(a)redhat.com,
swoodman(a)redhat.com, tzimanyi(a)redhat.com
Target Milestone: ---
Classification: Other
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to
11.0.1, if a user uses a webapps directory that is a symlink, the contents of
the webapps directory is deployed as a static webapp, inadvertently serving the
webapps themselves and anything else that might be in that directory.
References:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
Bug ID: 1934116
Summary: CVE-2020-27223 jetty: request containing multiple
Accept headers with a large number of "quality"
parameters may lead to DoS
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: abenaiss(a)redhat.com, aboyko(a)redhat.com,
aileenc(a)redhat.com, akoufoud(a)redhat.com,
alazarot(a)redhat.com, almorale(a)redhat.com,
anstephe(a)redhat.com, aos-bugs(a)redhat.com,
ataylor(a)redhat.com, bibryam(a)redhat.com,
bmontgom(a)redhat.com, chazlett(a)redhat.com,
drieden(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eparis(a)redhat.com, etirelli(a)redhat.com,
ganandan(a)redhat.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, gvarsami(a)redhat.com,
hbraun(a)redhat.com, ibek(a)redhat.com,
janstey(a)redhat.com, java-maint(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcoleman(a)redhat.com,
jjohnstn(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kconner(a)redhat.com,
krathod(a)redhat.com, krzysztof.daniel(a)gmail.com,
kverlaen(a)redhat.com, ldimaggi(a)redhat.com,
mat.booth(a)redhat.com, mcermak(a)redhat.com,
mizdebsk(a)redhat.com, mnovotny(a)redhat.com,
mprchlik(a)redhat.com, nstielau(a)redhat.com,
nwallace(a)redhat.com, pantinor(a)redhat.com,
patrickm(a)redhat.com, pbhattac(a)redhat.com,
pdrozd(a)redhat.com, pjindal(a)redhat.com,
rrajasek(a)redhat.com, rsynek(a)redhat.com,
rwagner(a)redhat.com, sdaley(a)redhat.com,
sd-operator-metering(a)redhat.com, sochotni(a)redhat.com,
sponnaga(a)redhat.com, sthorger(a)redhat.com,
tcunning(a)redhat.com, tflannag(a)redhat.com,
tkirby(a)redhat.com, vbobade(a)redhat.com,
vkadlcik(a)redhat.com
Target Milestone: ---
Classification: Other
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and
11.0.0 when Jetty handles a request containing multiple Accept headers with a
large number of “quality” (i.e. q) parameters, the server may enter a denial of
service (DoS) state due to high CPU usage processing those quality values,
resulting in minutes of CPU time exhausted processing those quality values.
References:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=571128https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1944888
Bug ID: 1944888
Summary: CVE-2021-21409 netty: Request smuggling via
content-length header
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: aboyko(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, akurtako(a)redhat.com,
alazarot(a)redhat.com, almorale(a)redhat.com,
andjrobins(a)gmail.com, anstephe(a)redhat.com,
aos-bugs(a)redhat.com, asoldano(a)redhat.com,
atangrin(a)redhat.com, ataylor(a)redhat.com,
avibelli(a)redhat.com, bbaranow(a)redhat.com,
bbuckingham(a)redhat.com, bcourt(a)redhat.com,
bgeorges(a)redhat.com, bkearney(a)redhat.com,
bmaxwell(a)redhat.com, bmontgom(a)redhat.com,
brian.stansberry(a)redhat.com, btotty(a)redhat.com,
cdewolf(a)redhat.com, chazlett(a)redhat.com,
clement.escoffier(a)redhat.com, dandread(a)redhat.com,
darran.lofthouse(a)redhat.com, dbecker(a)redhat.com,
dbhole(a)redhat.com, dkreling(a)redhat.com,
dosoudil(a)redhat.com, drieden(a)redhat.com,
ebaron(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eleandro(a)redhat.com, eparis(a)redhat.com,
etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org,
fjuma(a)redhat.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, gsmet(a)redhat.com,
hamadhan(a)redhat.com, hhudgeon(a)redhat.com,
ibek(a)redhat.com, iweiss(a)redhat.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcantril(a)redhat.com,
jerboaa(a)gmail.com, jjohnstn(a)redhat.com,
jjoyce(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jpallich(a)redhat.com,
jperkins(a)redhat.com, jross(a)redhat.com,
jschluet(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kaycoth(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
kwills(a)redhat.com, lef(a)fedoraproject.org,
lgao(a)redhat.com, lhh(a)redhat.com, loleary(a)redhat.com,
lpeer(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com,
mat.booth(a)gmail.com, mburns(a)redhat.com,
mkolesni(a)redhat.com, mmccune(a)redhat.com,
mnovotny(a)redhat.com, msochure(a)redhat.com,
msvehla(a)redhat.com, mszynkie(a)redhat.com,
nmoumoul(a)redhat.com, nstielau(a)redhat.com,
nwallace(a)redhat.com, pcreech(a)redhat.com,
pdrozd(a)redhat.com, peholase(a)redhat.com,
pgallagh(a)redhat.com, pjindal(a)redhat.com,
pmackay(a)redhat.com, probinso(a)redhat.com,
rchan(a)redhat.com, rgodfrey(a)redhat.com,
rgrunber(a)redhat.com, rguimara(a)redhat.com,
rjerrido(a)redhat.com, rrajasek(a)redhat.com,
rruss(a)redhat.com, rstancel(a)redhat.com,
rsvoboda(a)redhat.com, rsynek(a)redhat.com,
sbiarozk(a)redhat.com, sclewis(a)redhat.com,
scohen(a)redhat.com, sdaley(a)redhat.com,
sd-operator-metering(a)redhat.com, sdouglas(a)redhat.com,
slinaber(a)redhat.com, smaestri(a)redhat.com,
sochotni(a)redhat.com, sokeeffe(a)redhat.com,
spinder(a)redhat.com, sponnaga(a)redhat.com,
sthorger(a)redhat.com, swoodman(a)redhat.com,
tbrisker(a)redhat.com, tflannag(a)redhat.com,
theute(a)redhat.com, tom.jenkinson(a)redhat.com,
yborgess(a)redhat.com
Target Milestone: ---
Classification: Other
Netty is an open-source, asynchronous event-driven network application
framework for rapid development of maintainable high performance protocol
servers & clients. In Netty (io.netty:netty-codec-http2) before version
4.1.61.Final there is a vulnerability that enables request smuggling. The
content-length header is not correctly validated if the request only uses a
single Http2HeaderFrame with the endStream set to to true. This could lead to
request smuggling if the request is proxied to a remote peer and translated to
HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did
miss to fix this one case. This was fixed as part of 4.1.61.Final.
References:
https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0…https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
Bug ID: 1937364
Summary: CVE-2021-21295 netty: possible request smuggling in
HTTP/2 due missing validation
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: aboyko(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, akurtako(a)redhat.com,
alazarot(a)redhat.com, almorale(a)redhat.com,
andjrobins(a)gmail.com, anstephe(a)redhat.com,
aos-bugs(a)redhat.com, asoldano(a)redhat.com,
atangrin(a)redhat.com, ataylor(a)redhat.com,
avibelli(a)redhat.com, bbaranow(a)redhat.com,
bbuckingham(a)redhat.com, bcourt(a)redhat.com,
bgeorges(a)redhat.com, bkearney(a)redhat.com,
bmaxwell(a)redhat.com, bmontgom(a)redhat.com,
brian.stansberry(a)redhat.com, btotty(a)redhat.com,
cdewolf(a)redhat.com, chazlett(a)redhat.com,
clement.escoffier(a)redhat.com, dandread(a)redhat.com,
darran.lofthouse(a)redhat.com, dbecker(a)redhat.com,
dbhole(a)redhat.com, decathorpe(a)gmail.com,
dkreling(a)redhat.com, dosoudil(a)redhat.com,
drieden(a)redhat.com, ebaron(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eleandro(a)redhat.com, eparis(a)redhat.com,
etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org,
fjuma(a)redhat.com, ganandan(a)redhat.com,
ggaughan(a)redhat.com, gmalinko(a)redhat.com,
gsmet(a)redhat.com, hamadhan(a)redhat.com,
hhudgeon(a)redhat.com, ibek(a)redhat.com,
iweiss(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcantril(a)redhat.com,
jerboaa(a)gmail.com, jjohnstn(a)redhat.com,
jjoyce(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jpallich(a)redhat.com,
jperkins(a)redhat.com, jross(a)redhat.com,
jschluet(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kaycoth(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
kwills(a)redhat.com, lef(a)fedoraproject.org,
lgao(a)redhat.com, lhh(a)redhat.com, loleary(a)redhat.com,
lpeer(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com,
mat.booth(a)redhat.com, mburns(a)redhat.com,
mkolesni(a)redhat.com, mmccune(a)redhat.com,
mnovotny(a)redhat.com, msochure(a)redhat.com,
msvehla(a)redhat.com, mszynkie(a)redhat.com,
nmoumoul(a)redhat.com, nstielau(a)redhat.com,
nwallace(a)redhat.com, pcreech(a)redhat.com,
pdrozd(a)redhat.com, peholase(a)redhat.com,
pgallagh(a)redhat.com, pjindal(a)redhat.com,
pmackay(a)redhat.com, probinso(a)redhat.com,
rchan(a)redhat.com, rgodfrey(a)redhat.com,
rgrunber(a)redhat.com, rguimara(a)redhat.com,
rjerrido(a)redhat.com, rrajasek(a)redhat.com,
rruss(a)redhat.com, rstancel(a)redhat.com,
rsvoboda(a)redhat.com, rsynek(a)redhat.com,
sbiarozk(a)redhat.com, sclewis(a)redhat.com,
scohen(a)redhat.com, sdaley(a)redhat.com,
sd-operator-metering(a)redhat.com, sdouglas(a)redhat.com,
slinaber(a)redhat.com, smaestri(a)redhat.com,
sochotni(a)redhat.com, sokeeffe(a)redhat.com,
spinder(a)redhat.com, sponnaga(a)redhat.com,
sthorger(a)redhat.com, swoodman(a)redhat.com,
tbrisker(a)redhat.com, tflannag(a)redhat.com,
theute(a)redhat.com, tom.jenkinson(a)redhat.com,
yborgess(a)redhat.com
Target Milestone: ---
Classification: Other
Netty is an open-source, asynchronous event-driven network application
framework for rapid development of maintainable high performance protocol
servers & clients. In Netty (io.netty:netty-codec-http2) before version
4.1.60.Final there is a vulnerability that enables request smuggling. If a
Content-Length header is present in the original HTTP/2 request, the field is
not validated by `Http2MultiplexHandler` as it is propagated up. This is fine
as long as the request is not proxied through as HTTP/1.1. If the request comes
in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects
(`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec
`and then sent up to the child channel's pipeline and proxied through a remote
peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users
may assume the content-length is validated somehow, which is not the case. If
the request is forwarded to a backend channel that is a HTTP/1.1 connection,
the Content-Length now has meaning and needs to be checked. An attacker can
smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1.
For an example attack refer to the linked GitHub Advisory. Users are only
affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is
used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1
objects, and these HTTP/1.1 objects are forwarded to another remote peer. This
has been patched in 4.1.60.Final As a workaround, the user can do the
validation by themselves by implementing a custom `ChannelInboundHandler` that
is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
Reference:
https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
Upstream patch:
https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1974891
Bug ID: 1974891
Summary: CVE-2021-34428 jetty: SessionListener can prevent a
session from being invalidated breaking logout
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: abenaiss(a)redhat.com, aileenc(a)redhat.com,
aos-bugs(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, dbecker(a)redhat.com,
drieden(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eparis(a)redhat.com, eric.wittmann(a)redhat.com,
ggaughan(a)redhat.com, gmalinko(a)redhat.com,
hbraun(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jjohnstn(a)redhat.com,
jjoyce(a)redhat.com, jkang(a)redhat.com,
jnethert(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jross(a)redhat.com,
jschluet(a)redhat.com, jwon(a)redhat.com,
krzysztof.daniel(a)gmail.com, lhh(a)redhat.com,
lpeer(a)redhat.com, mat.booth(a)gmail.com,
mburns(a)redhat.com, mizdebsk(a)redhat.com,
mkolesni(a)redhat.com, nstielau(a)redhat.com,
pantinor(a)redhat.com, pbhattac(a)redhat.com,
sclewis(a)redhat.com, scohen(a)redhat.com,
sd-operator-metering(a)redhat.com, slinaber(a)redhat.com,
sochotni(a)redhat.com, sponnaga(a)redhat.com,
swoodman(a)redhat.com, tflannag(a)redhat.com,
vbobade(a)redhat.com
Target Milestone: ---
Classification: Other
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is
thrown from the SessionListener#sessionDestroyed() method, then the session ID
is not invalidated in the session ID manager. On deployments with clustered
sessions and multiple contexts this can result in a session not being
invalidated. This can result in an application used on a shared computer being
left logged in.
Reference:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1974892
Bug ID: 1974892
Summary: CVE-2021-34428 jetty: SessionListener can prevent a
session from being invalidated breaking logout
[fedora-all]
Product: Fedora
Version: 34
Status: NEW
Component: jetty
Keywords: Security, SecurityTracking
Severity: low
Priority: low
Assignee: mat.booth(a)gmail.com
Reporter: gsuckevi(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: eclipse-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jjohnstn(a)redhat.com, krzysztof.daniel(a)gmail.com,
mat.booth(a)gmail.com, mizdebsk(a)redhat.com,
sochotni(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1971016
Bug ID: 1971016
Summary: CVE-2021-28169 jetty: requests to the ConcatServlet
and WelcomeFilter are able to access protected
resources within the WEB-INF directory
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: abenaiss(a)redhat.com, aileenc(a)redhat.com,
aos-bugs(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, dbecker(a)redhat.com,
drieden(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eparis(a)redhat.com, eric.wittmann(a)redhat.com,
ggaughan(a)redhat.com, gmalinko(a)redhat.com,
hbraun(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jjohnstn(a)redhat.com,
jjoyce(a)redhat.com, jkang(a)redhat.com,
jochrist(a)redhat.com, jokerman(a)redhat.com,
jross(a)redhat.com, jschluet(a)redhat.com,
jwon(a)redhat.com, krzysztof.daniel(a)gmail.com,
lhh(a)redhat.com, lpeer(a)redhat.com, mat.booth(a)gmail.com,
mburns(a)redhat.com, mizdebsk(a)redhat.com,
mkolesni(a)redhat.com, nstielau(a)redhat.com,
pantinor(a)redhat.com, pbhattac(a)redhat.com,
sclewis(a)redhat.com, scohen(a)redhat.com,
sd-operator-metering(a)redhat.com, slinaber(a)redhat.com,
sochotni(a)redhat.com, sponnaga(a)redhat.com,
swoodman(a)redhat.com, tflannag(a)redhat.com,
vbobade(a)redhat.com
Target Milestone: ---
Classification: Other
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for
requests to the ConcatServlet with a doubly encoded path to access protected
resources within the WEB-INF directory. For example a request to
`/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal
sensitive information regarding the implementation of a web application.
Reference:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh…
--
You are receiving this mail because:
You are on the CC list for the bug.