Source: jetty9 Version: 9.4.15-1 Severity: important Tags: security upstream fixed-upstream
Hi, The following vulnerabilities were published for jetty9. Although they are distinct issues, and one is adressed in 9.4.16 and the other in 4.9.17 I still opted to fill one single bug, assuming the next update will move to at least 9.4.17. CVE-2019-10241[0]: | In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and | 9.4.15 and older, the server is vulnerable to XSS conditions if a | remote client USES a specially formatted URL against the | DefaultServlet or ResourceHandler that is configured for showing a | Listing of directory contents. CVE-2019-10247[1]: | In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, | and 9.4.16 and older, the server running on any OS and Jetty version | combination will reveal the configured fully qualified directory base | resource location on the output of the 404 error for not finding a | Context that matches the requested path. The default server behavior | on jetty-distribution and jetty-home will include at the end of the | Handler tree a DefaultHandler, which is responsible for reporting this | 404 error, it presents the various configured contexts as HTML for | users to click through to. This produced HTML includes output that | contains the configured fully qualified directory base resource | location for each context. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-10241 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241 https://bugs.eclipse.org/bugs/show_bug.cgi?id=546121 [1] https://security-tracker.debian.org/tracker/CVE-2019-10247 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247 https://bugs.eclipse.org/bugs/show_bug.cgi?id=546577 Regards, Salvatore
