Package: jetty9 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for jetty9. CVE-2017-7656[0]: | In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all | configurations), and 9.4.x (non-default configuration with RFC2616 | compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style | request line (i.e. method space URI space version) that declares a | version of HTTP/0.9 was accepted and treated as a 0.9 request. If | deployed behind an intermediary that also accepted and passed through | the 0.9 version (but did not act on it), then the response sent could | be interpreted by the intermediary as HTTP/1 headers. This could be | used to poison the cache if the server allowed the origin client to | generate arbitrary content in the response. CVE-2017-7657[1]: | In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all | configurations), and 9.4.x (non-default configuration with RFC2616 | compliance enabled), transfer-encoding chunks are handled poorly. The | chunk length parsing was vulnerable to an integer overflow. Thus a | large chunk size could be interpreted as a smaller chunk size and | content sent as chunk body could be interpreted as a pipelined | request. If Jetty was deployed behind an intermediary that imposed | some authorization and that intermediary allowed arbitrarily large | chunks to be passed on unchanged, then this flaw could be used to | bypass the authorization imposed by the intermediary as the fake | pipelined request would not be interpreted by the intermediary as a | request. CVE-2017-7658[2]: | In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non | HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), | when presented with two content-lengths headers, Jetty ignored the | second. When presented with a content-length and a chunked encoding | header, the content-length was ignored (as per RFC 2616). If an | intermediary decided on the shorter length, but still passed on the | longer body, then body content could be interpreted by Jetty as a | pipelined request. If the intermediary was imposing authorization, the | fake pipelined request would bypass that authorization. CVE-2018-12536[3]: | In Eclipse Jetty Server, all 9.x versions, on webapps deployed using | default Error Handling, when an intentionally bad query arrives that | doesn't match a dynamic url-pattern, and is eventually handled by the | DefaultServlet's static file serving, the bad characters can trigger a | java.nio.file.InvalidPathException which includes the full path to the | base resource directory that the DefaultServlet and/or webapp is | using. If this InvalidPathException is then handled by the default | Error Handler, the InvalidPathException message is included in the | error response, revealing the full server path to the requesting | system. CVE-2018-12538[4]: | In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional | Jetty provided FileSessionDataStore for persistent storage of | HttpSession details, it is possible for a malicious user to | access/hijack other HttpSessions and even delete unmatched | HttpSessions present in the FileSystem's storage for the | FileSessionDataStore. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-7656 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7656 [1] https://security-tracker.debian.org/tracker/CVE-2017-7657 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7657 [2] https://security-tracker.debian.org/tracker/CVE-2017-7658 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7658 [3] https://security-tracker.debian.org/tracker/CVE-2018-12536 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12536 [4] https://security-tracker.debian.org/tracker/CVE-2018-12538 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12538 Please adjust the affected versions in the BTS as needed. Markus
signature.asc
Description: OpenPGP digital signature
