Your message dated Mon, 18 Oct 2021 11:48:13 +0200
with message-id <[email protected]>
and subject line Re: jetty9: CVE-2017-7656 CVE-2017-7657 CVE-2017-7658
CVE-2018-12536 CVE-2018-12538
has caused the Debian Bug report #902953,
regarding jetty9: CVE-2017-7656 CVE-2017-7657 CVE-2017-7658
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
902953: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902953
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: jetty9
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for jetty9.
CVE-2017-7656[0]:
| In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all
| configurations), and 9.4.x (non-default configuration with RFC2616
| compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style
| request line (i.e. method space URI space version) that declares a
| version of HTTP/0.9 was accepted and treated as a 0.9 request. If
| deployed behind an intermediary that also accepted and passed through
| the 0.9 version (but did not act on it), then the response sent could
| be interpreted by the intermediary as HTTP/1 headers. This could be
| used to poison the cache if the server allowed the origin client to
| generate arbitrary content in the response.
CVE-2017-7657[1]:
| In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all
| configurations), and 9.4.x (non-default configuration with RFC2616
| compliance enabled), transfer-encoding chunks are handled poorly. The
| chunk length parsing was vulnerable to an integer overflow. Thus a
| large chunk size could be interpreted as a smaller chunk size and
| content sent as chunk body could be interpreted as a pipelined
| request. If Jetty was deployed behind an intermediary that imposed
| some authorization and that intermediary allowed arbitrarily large
| chunks to be passed on unchanged, then this flaw could be used to
| bypass the authorization imposed by the intermediary as the fake
| pipelined request would not be interpreted by the intermediary as a
| request.
CVE-2017-7658[2]:
| In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non
| HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations),
| when presented with two content-lengths headers, Jetty ignored the
| second. When presented with a content-length and a chunked encoding
| header, the content-length was ignored (as per RFC 2616). If an
| intermediary decided on the shorter length, but still passed on the
| longer body, then body content could be interpreted by Jetty as a
| pipelined request. If the intermediary was imposing authorization, the
| fake pipelined request would bypass that authorization.
CVE-2018-12536[3]:
| In Eclipse Jetty Server, all 9.x versions, on webapps deployed using
| default Error Handling, when an intentionally bad query arrives that
| doesn't match a dynamic url-pattern, and is eventually handled by the
| DefaultServlet's static file serving, the bad characters can trigger a
| java.nio.file.InvalidPathException which includes the full path to the
| base resource directory that the DefaultServlet and/or webapp is
| using. If this InvalidPathException is then handled by the default
| Error Handler, the InvalidPathException message is included in the
| error response, revealing the full server path to the requesting
| system.
CVE-2018-12538[4]:
| In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional
| Jetty provided FileSessionDataStore for persistent storage of
| HttpSession details, it is possible for a malicious user to
| access/hijack other HttpSessions and even delete unmatched
| HttpSessions present in the FileSystem's storage for the
| FileSessionDataStore.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7656
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7656
[1] https://security-tracker.debian.org/tracker/CVE-2017-7657
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7657
[2] https://security-tracker.debian.org/tracker/CVE-2017-7658
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7658
[3] https://security-tracker.debian.org/tracker/CVE-2018-12536
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12536
[4] https://security-tracker.debian.org/tracker/CVE-2018-12538
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12538
Please adjust the affected versions in the BTS as needed.
Markus
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
These CVE are fixed in all supported Jetty versions now. Closing.
signature.asc
Description: This is a digitally signed message part
--- End Message ---
