https://bugzilla.redhat.com/show_bug.cgi?id=1937364
Bug ID: 1937364
Summary: CVE-2021-21295 netty: possible request smuggling in
HTTP/2 due missing validation
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: aboyko(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, akurtako(a)redhat.com,
alazarot(a)redhat.com, almorale(a)redhat.com,
andjrobins(a)gmail.com, anstephe(a)redhat.com,
aos-bugs(a)redhat.com, asoldano(a)redhat.com,
atangrin(a)redhat.com, ataylor(a)redhat.com,
avibelli(a)redhat.com, bbaranow(a)redhat.com,
bbuckingham(a)redhat.com, bcourt(a)redhat.com,
bgeorges(a)redhat.com, bkearney(a)redhat.com,
bmaxwell(a)redhat.com, bmontgom(a)redhat.com,
brian.stansberry(a)redhat.com, btotty(a)redhat.com,
cdewolf(a)redhat.com, chazlett(a)redhat.com,
clement.escoffier(a)redhat.com, dandread(a)redhat.com,
darran.lofthouse(a)redhat.com, dbecker(a)redhat.com,
dbhole(a)redhat.com, decathorpe(a)gmail.com,
dkreling(a)redhat.com, dosoudil(a)redhat.com,
drieden(a)redhat.com, ebaron(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eleandro(a)redhat.com, eparis(a)redhat.com,
etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org,
fjuma(a)redhat.com, ganandan(a)redhat.com,
ggaughan(a)redhat.com, gmalinko(a)redhat.com,
gsmet(a)redhat.com, hamadhan(a)redhat.com,
hhudgeon(a)redhat.com, ibek(a)redhat.com,
iweiss(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcantril(a)redhat.com,
jerboaa(a)gmail.com, jjohnstn(a)redhat.com,
jjoyce(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jpallich(a)redhat.com,
jperkins(a)redhat.com, jross(a)redhat.com,
jschluet(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kaycoth(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
kwills(a)redhat.com, lef(a)fedoraproject.org,
lgao(a)redhat.com, lhh(a)redhat.com, loleary(a)redhat.com,
lpeer(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com,
mat.booth(a)redhat.com, mburns(a)redhat.com,
mkolesni(a)redhat.com, mmccune(a)redhat.com,
mnovotny(a)redhat.com, msochure(a)redhat.com,
msvehla(a)redhat.com, mszynkie(a)redhat.com,
nmoumoul(a)redhat.com, nstielau(a)redhat.com,
nwallace(a)redhat.com, pcreech(a)redhat.com,
pdrozd(a)redhat.com, peholase(a)redhat.com,
pgallagh(a)redhat.com, pjindal(a)redhat.com,
pmackay(a)redhat.com, probinso(a)redhat.com,
rchan(a)redhat.com, rgodfrey(a)redhat.com,
rgrunber(a)redhat.com, rguimara(a)redhat.com,
rjerrido(a)redhat.com, rrajasek(a)redhat.com,
rruss(a)redhat.com, rstancel(a)redhat.com,
rsvoboda(a)redhat.com, rsynek(a)redhat.com,
sbiarozk(a)redhat.com, sclewis(a)redhat.com,
scohen(a)redhat.com, sdaley(a)redhat.com,
sd-operator-metering(a)redhat.com, sdouglas(a)redhat.com,
slinaber(a)redhat.com, smaestri(a)redhat.com,
sochotni(a)redhat.com, sokeeffe(a)redhat.com,
spinder(a)redhat.com, sponnaga(a)redhat.com,
sthorger(a)redhat.com, swoodman(a)redhat.com,
tbrisker(a)redhat.com, tflannag(a)redhat.com,
theute(a)redhat.com, tom.jenkinson(a)redhat.com,
yborgess(a)redhat.com
Target Milestone: ---
Classification: Other
Netty is an open-source, asynchronous event-driven network application
framework for rapid development of maintainable high performance protocol
servers & clients. In Netty (io.netty:netty-codec-http2) before version
4.1.60.Final there is a vulnerability that enables request smuggling. If a
Content-Length header is present in the original HTTP/2 request, the field is
not validated by `Http2MultiplexHandler` as it is propagated up. This is fine
as long as the request is not proxied through as HTTP/1.1. If the request comes
in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects
(`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec
`and then sent up to the child channel's pipeline and proxied through a remote
peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users
may assume the content-length is validated somehow, which is not the case. If
the request is forwarded to a backend channel that is a HTTP/1.1 connection,
the Content-Length now has meaning and needs to be checked. An attacker can
smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1.
For an example attack refer to the linked GitHub Advisory. Users are only
affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is
used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1
objects, and these HTTP/1.1 objects are forwarded to another remote peer. This
has been patched in 4.1.60.Final As a workaround, the user can do the
validation by themselves by implementing a custom `ChannelInboundHandler` that
is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
Reference:
https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
Upstream patch:
https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1985223
Bug ID: 1985223
Summary: CVE-2021-34429 jetty: crafted URIs allow bypassing
security constraints
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: mrehak(a)redhat.com
CC: abenaiss(a)redhat.com, aileenc(a)redhat.com,
aos-bugs(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, dbecker(a)redhat.com,
drieden(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eparis(a)redhat.com, eric.wittmann(a)redhat.com,
ggaughan(a)redhat.com, gmalinko(a)redhat.com,
hbraun(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jjohnstn(a)redhat.com,
jjoyce(a)redhat.com, jkang(a)redhat.com,
jnethert(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jross(a)redhat.com,
jschluet(a)redhat.com, jwon(a)redhat.com,
krzysztof.daniel(a)gmail.com, lhh(a)redhat.com,
lpeer(a)redhat.com, mat.booth(a)gmail.com,
mburns(a)redhat.com, mizdebsk(a)redhat.com,
mkolesni(a)redhat.com, nstielau(a)redhat.com,
pantinor(a)redhat.com, pbhattac(a)redhat.com,
pjindal(a)redhat.com, sclewis(a)redhat.com,
scohen(a)redhat.com, sd-operator-metering(a)redhat.com,
slinaber(a)redhat.com, sochotni(a)redhat.com,
sponnaga(a)redhat.com, swoodman(a)redhat.com,
tflannag(a)redhat.com, vbobade(a)redhat.com
Target Milestone: ---
Classification: Other
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs
can be crafted using some encoded characters to access the content of the
WEB-INF directory and/or bypass some security constraints.
Upstream Issue:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1985225
Bug ID: 1985225
Summary: CVE-2021-34429 jetty: crafted URIs allow bypassing
security constraints [fedora-all]
Product: Fedora
Version: 34
Status: NEW
Component: jetty
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: mat.booth(a)gmail.com
Reporter: mrehak(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: eclipse-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jjohnstn(a)redhat.com, krzysztof.daniel(a)gmail.com,
mat.booth(a)gmail.com, mizdebsk(a)redhat.com,
sochotni(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1974891
Bug ID: 1974891
Summary: CVE-2021-34428 jetty: SessionListener can prevent a
session from being invalidated breaking logout
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: abenaiss(a)redhat.com, aileenc(a)redhat.com,
aos-bugs(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, dbecker(a)redhat.com,
drieden(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eparis(a)redhat.com, eric.wittmann(a)redhat.com,
ggaughan(a)redhat.com, gmalinko(a)redhat.com,
hbraun(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jjohnstn(a)redhat.com,
jjoyce(a)redhat.com, jkang(a)redhat.com,
jnethert(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jross(a)redhat.com,
jschluet(a)redhat.com, jwon(a)redhat.com,
krzysztof.daniel(a)gmail.com, lhh(a)redhat.com,
lpeer(a)redhat.com, mat.booth(a)gmail.com,
mburns(a)redhat.com, mizdebsk(a)redhat.com,
mkolesni(a)redhat.com, nstielau(a)redhat.com,
pantinor(a)redhat.com, pbhattac(a)redhat.com,
sclewis(a)redhat.com, scohen(a)redhat.com,
sd-operator-metering(a)redhat.com, slinaber(a)redhat.com,
sochotni(a)redhat.com, sponnaga(a)redhat.com,
swoodman(a)redhat.com, tflannag(a)redhat.com,
vbobade(a)redhat.com
Target Milestone: ---
Classification: Other
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is
thrown from the SessionListener#sessionDestroyed() method, then the session ID
is not invalidated in the session ID manager. On deployments with clustered
sessions and multiple contexts this can result in a session not being
invalidated. This can result in an application used on a shared computer being
left logged in.
Reference:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1974892
Bug ID: 1974892
Summary: CVE-2021-34428 jetty: SessionListener can prevent a
session from being invalidated breaking logout
[fedora-all]
Product: Fedora
Version: 34
Status: NEW
Component: jetty
Keywords: Security, SecurityTracking
Severity: low
Priority: low
Assignee: mat.booth(a)gmail.com
Reporter: gsuckevi(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: eclipse-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jjohnstn(a)redhat.com, krzysztof.daniel(a)gmail.com,
mat.booth(a)gmail.com, mizdebsk(a)redhat.com,
sochotni(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1971016
Bug ID: 1971016
Summary: CVE-2021-28169 jetty: requests to the ConcatServlet
and WelcomeFilter are able to access protected
resources within the WEB-INF directory
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: abenaiss(a)redhat.com, aileenc(a)redhat.com,
aos-bugs(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, dbecker(a)redhat.com,
drieden(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eparis(a)redhat.com, eric.wittmann(a)redhat.com,
ggaughan(a)redhat.com, gmalinko(a)redhat.com,
hbraun(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jjohnstn(a)redhat.com,
jjoyce(a)redhat.com, jkang(a)redhat.com,
jochrist(a)redhat.com, jokerman(a)redhat.com,
jross(a)redhat.com, jschluet(a)redhat.com,
jwon(a)redhat.com, krzysztof.daniel(a)gmail.com,
lhh(a)redhat.com, lpeer(a)redhat.com, mat.booth(a)gmail.com,
mburns(a)redhat.com, mizdebsk(a)redhat.com,
mkolesni(a)redhat.com, nstielau(a)redhat.com,
pantinor(a)redhat.com, pbhattac(a)redhat.com,
sclewis(a)redhat.com, scohen(a)redhat.com,
sd-operator-metering(a)redhat.com, slinaber(a)redhat.com,
sochotni(a)redhat.com, sponnaga(a)redhat.com,
swoodman(a)redhat.com, tflannag(a)redhat.com,
vbobade(a)redhat.com
Target Milestone: ---
Classification: Other
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for
requests to the ConcatServlet with a doubly encoded path to access protected
resources within the WEB-INF directory. For example a request to
`/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal
sensitive information regarding the implementation of a web application.
Reference:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1971017
Bug ID: 1971017
Summary: CVE-2021-28169 jetty: requests to the ConcatServlet
and WelcomeFilter are able to access protected
resources within the WEB-INF directory [fedora-all]
Product: Fedora
Version: 34
Status: NEW
Component: jetty
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: mat.booth(a)gmail.com
Reporter: gsuckevi(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: eclipse-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jjohnstn(a)redhat.com, krzysztof.daniel(a)gmail.com,
mat.booth(a)gmail.com, mizdebsk(a)redhat.com,
sochotni(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1982614
Bug ID: 1982614
Summary: eclipse-pydev Does not debug a forked process.
Product: Fedora
Version: 34
Status: NEW
Component: eclipse-pydev
Assignee: extras-orphan(a)fedoraproject.org
Reporter: sebastian.saletnik(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
extras-orphan(a)fedoraproject.org, jjohnstn(a)redhat.com
Target Milestone: ---
Classification: Fedora
Created attachment 1801797
--> https://bugzilla.redhat.com/attachment.cgi?id=1801797&action=edit
test script
Description of problem:
Does not debug a forked process.
Version-Release number of selected component (if applicable):
eclipse-pydev-8.0.0-2.fc34.x86_64
How reproducible:
Debug script using fork as "Python Run"
Steps to Reproduce:
1. Run Eclipse
2. Create PyDev project
3. Add file test_debug.py
4. Select file test_debug.py
5. right click -> Debug As -> Python Run
Actual results:
Does not debug a forked process.
Breakpoints in the forked process are ignored
Expected results:
Debug a forked process.
Additional info:
Traceback:
File
"/usr/lib/eclipse/droplets/pydev/plugins/org.python.pydev.core_8.0.0.v20201103-1759/pysrc/pydevd_tracing.py",
line 129, in load_python_helper_lib
filename = os.path.join(os.path.dirname(__file__),
'pydevd_attach_to_process', 'attach_linux.so' % (suffix,))
TypeError: not all arguments converted during string formatting
Wrong formatting.
Fixing patch:
@@ -126,7 +126,7 @@
else:
suffix = 'x86'
- filename = os.path.join(os.path.dirname(__file__),
'pydevd_attach_to_process', 'attach_linux.so' % (suffix,))
+ filename = os.path.join(os.path.dirname(__file__),
'pydevd_attach_to_process', 'attach_linux.so')
elif IS_MAC:
if IS_64BIT_PROCESS:
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1970206
Bug ID: 1970206
Summary: bash hang when launched by TM Terminal inside Eclipse
Product: Fedora
Version: 34
Status: NEW
Component: eclipse-cdt
Assignee: extras-orphan(a)fedoraproject.org
Reporter: shihping.chan(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
extras-orphan(a)fedoraproject.org, jjohnstn(a)redhat.com,
rgrunber(a)redhat.com, TicoTimo(a)gmail.com
Target Milestone: ---
Classification: Fedora
Description of problem:
Some shells(bash, zsh) hang when launched inside of TM Terminal, i.e., they
don't reach the command prompt
Version-Release number of selected component (if applicable):
eclipse-platform-4.19-3.fc34.x86_64
eclipse-cdt-9.11.1-10.fc34.x86_64
(also tested with TM Terminal 10.2.0.202012191711 from Marketplace)
How reproducible:
Always
Steps to Reproduce:
1. start eclipse
2. configure TM Terminal to use /usr/bin/bash or /usr/bin/zsh
3. start a TM Terminal
Actual results:
The terminal hangs and doesn't reach a command prompt
Expected results:
The terminal reaches a command prompt
Additional info:
1. Working: sh, ksh, fish, tmux
2. Reproduced with setenforce 0
3. If you launch /bin/sh and run bash you see the same hang
4. however the /bin/bash inside tmux works
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
Bug ID: 1902826
Summary: CVE-2020-27218 jetty: buffer not correctly recycled in
Gzip Request inflation
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: abenaiss(a)redhat.com, aboyko(a)redhat.com,
aileenc(a)redhat.com, akoufoud(a)redhat.com,
alazarot(a)redhat.com, almorale(a)redhat.com,
anstephe(a)redhat.com, aos-bugs(a)redhat.com,
ataylor(a)redhat.com, bmontgom(a)redhat.com,
btofel(a)redhat.com, chazlett(a)redhat.com,
drieden(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eparis(a)redhat.com, etirelli(a)redhat.com,
ganandan(a)redhat.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, gvarsami(a)redhat.com,
ibek(a)redhat.com, janstey(a)redhat.com,
java-maint(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcoleman(a)redhat.com,
jjohnstn(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kconner(a)redhat.com,
krathod(a)redhat.com, krzysztof.daniel(a)gmail.com,
kverlaen(a)redhat.com, ldimaggi(a)redhat.com,
mat.booth(a)redhat.com, mizdebsk(a)redhat.com,
mnovotny(a)redhat.com, nstielau(a)redhat.com,
nwallace(a)redhat.com, pbhattac(a)redhat.com,
pdrozd(a)redhat.com, pjindal(a)redhat.com,
rrajasek(a)redhat.com, rsynek(a)redhat.com,
rwagner(a)redhat.com, sdaley(a)redhat.com,
sd-operator-metering(a)redhat.com, sochotni(a)redhat.com,
sponnaga(a)redhat.com, sthorger(a)redhat.com,
tcunning(a)redhat.com, tkirby(a)redhat.com,
vbobade(a)redhat.com
Target Milestone: ---
Classification: Other
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to
10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation
is enabled and requests from different clients are multiplexed onto a single
connection, and if an attacker can send a request with a body that is received
entirely but not consumed by the application, then a subsequent request on the
same connection will see that body prepended to its body. The attacker will not
see any data but may inject data into the body of the subsequent request.
References:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=568892https://github.com/eclipse/jetty.project/security/advisories/GHSA-86wm-rrjm…
--
You are receiving this mail because:
You are on the CC list for the bug.