Debian Bug report logs -
#445283
CVE-2006-6969 predictable session identifiers
Reported by: Nico Golde <nion@debian.org>
Date: Thu, 4 Oct 2007 15:51:03 UTC
Severity: grave
Tags: patch, security
Fixed in version jetty/5.1.10-4
Done: Michael Koch <konqueror@gmx.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#445283
; Package jetty
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: jetty
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for jetty.
CVE-2006-6969[0]:
| Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1
| before 6.1.0pre3 generates predictable session identifiers using
| java.util.random, which makes it easier for remote attackers to guess
| a session identifier through brute force attacks, bypass
| authentication requirements, and possibly conduct cross-site request
| forgery attacks.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
This vulnerability has been verified in the Debian versions
by the upstream.
I am currently waiting to get a patch for this.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6969
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#445283
; Package jetty
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #10 received at 445283@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 445283 + patch
thanks
Hi,
Greg Wilkins of jetty provides a patch from their cvs for
this issue.
You can find it on:
http://jetty.cvs.sourceforge.net/jetty/Jetty/src/org/mortbay/jetty/servlet/AbstractSessionManager.java?r1=1.52&r2=1.53&view=patch
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Tags added: patch
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org
.
(Thu, 04 Oct 2007 23:48:02 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#445283
; Package jetty
.
(full text, mbox, link).
Acknowledgement sent to Greg Wilkins <gregw@mortbay.com>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #17 received at 445283@bugs.debian.org (full text, mbox, reply):
The patch to fix this issue for 5.1.10 is available
http://jetty.cvs.sourceforge.net/jetty/Jetty/src/org/mortbay/jetty/servlet/AbstractSessionManager.java?r1=1.52&r2=1.53
Reply sent to Michael Koch <konqueror@gmx.de>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #22 received at 445283-close@bugs.debian.org (full text, mbox, reply):
Source: jetty
Source-Version: 5.1.10-4
We believe that the bug you reported is fixed in the latest version of
jetty, which is due to be installed in the Debian FTP archive:
jetty-extra_5.1.10-4_all.deb
to pool/contrib/j/jetty/jetty-extra_5.1.10-4_all.deb
jetty_5.1.10-4.diff.gz
to pool/contrib/j/jetty/jetty_5.1.10-4.diff.gz
jetty_5.1.10-4.dsc
to pool/contrib/j/jetty/jetty_5.1.10-4.dsc
jetty_5.1.10-4_all.deb
to pool/contrib/j/jetty/jetty_5.1.10-4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 445283@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Koch <konqueror@gmx.de> (supplier of updated jetty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 05 Oct 2007 07:34:55 +0200
Source: jetty
Binary: jetty-extra jetty
Architecture: source all
Version: 5.1.10-4
Distribution: unstable
Urgency: low
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Michael Koch <konqueror@gmx.de>
Description:
jetty - Java servlet engine and webserver
jetty-extra - Extensions to jetty
Closes: 445283
Changes:
jetty (5.1.10-4) unstable; urgency=low
.
* Added patch to fix CVE-2006-6969. Thanks to Greg Wilkins for the patch.
Closes: #445283.
* Updated debian/patches/jdk-1.2-src-encoding.patch to make it work with
current ecj.
Files:
d8f0d95a6a2512856c5e1bd953f460d7 834 contrib/web optional jetty_5.1.10-4.dsc
d4523bded143b1b1b279a786e99d356e 17540 contrib/web optional jetty_5.1.10-4.diff.gz
293dd10205be58ab88b9abeed7cc41e2 2085478 contrib/web optional jetty_5.1.10-4_all.deb
44906c4f66623272214d9ede0ea7a215 787728 contrib/web optional jetty-extra_5.1.10-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHBc7LWSOgCCdjSDsRAn9HAJ9lsyzTIQY5puTK13hd4o4TyGwyjACZAVLk
klXyIv6ZmcdTJZ+LT7g2bl4=
=JGSY
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 13 Nov 2007 07:32:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:30:11 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.