Debian Bug report logs -
#902774
jetty9: CVE-2018-12536
Reported by: Markus Koschany <apo@debian.org>
Date: Sat, 30 Jun 2018 18:45:04 UTC
Severity: grave
Tags: security
Found in version jetty9/9.2.24-1
Fixed in version jetty9/9.2.25-1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#902774; Package jetty9.
(Sat, 30 Jun 2018 18:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sat, 30 Jun 2018 18:45:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: jetty9
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for jetty9.
CVE-2017-7656[0]:
| In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all
| configurations), and 9.4.x (non-default configuration with RFC2616
| compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style
| request line (i.e. method space URI space version) that declares a
| version of HTTP/0.9 was accepted and treated as a 0.9 request. If
| deployed behind an intermediary that also accepted and passed through
| the 0.9 version (but did not act on it), then the response sent could
| be interpreted by the intermediary as HTTP/1 headers. This could be
| used to poison the cache if the server allowed the origin client to
| generate arbitrary content in the response.
CVE-2017-7657[1]:
| In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all
| configurations), and 9.4.x (non-default configuration with RFC2616
| compliance enabled), transfer-encoding chunks are handled poorly. The
| chunk length parsing was vulnerable to an integer overflow. Thus a
| large chunk size could be interpreted as a smaller chunk size and
| content sent as chunk body could be interpreted as a pipelined
| request. If Jetty was deployed behind an intermediary that imposed
| some authorization and that intermediary allowed arbitrarily large
| chunks to be passed on unchanged, then this flaw could be used to
| bypass the authorization imposed by the intermediary as the fake
| pipelined request would not be interpreted by the intermediary as a
| request.
CVE-2017-7658[2]:
| In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non
| HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations),
| when presented with two content-lengths headers, Jetty ignored the
| second. When presented with a content-length and a chunked encoding
| header, the content-length was ignored (as per RFC 2616). If an
| intermediary decided on the shorter length, but still passed on the
| longer body, then body content could be interpreted by Jetty as a
| pipelined request. If the intermediary was imposing authorization, the
| fake pipelined request would bypass that authorization.
CVE-2018-12536[3]:
| In Eclipse Jetty Server, all 9.x versions, on webapps deployed using
| default Error Handling, when an intentionally bad query arrives that
| doesn't match a dynamic url-pattern, and is eventually handled by the
| DefaultServlet's static file serving, the bad characters can trigger a
| java.nio.file.InvalidPathException which includes the full path to the
| base resource directory that the DefaultServlet and/or webapp is
| using. If this InvalidPathException is then handled by the default
| Error Handler, the InvalidPathException message is included in the
| error response, revealing the full server path to the requesting
| system.
CVE-2018-12538[4]:
| In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional
| Jetty provided FileSessionDataStore for persistent storage of
| HttpSession details, it is possible for a malicious user to
| access/hijack other HttpSessions and even delete unmatched
| HttpSessions present in the FileSystem's storage for the
| FileSessionDataStore.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7656
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7656
[1] https://security-tracker.debian.org/tracker/CVE-2017-7657
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7657
[2] https://security-tracker.debian.org/tracker/CVE-2017-7658
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7658
[3] https://security-tracker.debian.org/tracker/CVE-2018-12536
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12536
[4] https://security-tracker.debian.org/tracker/CVE-2018-12538
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12538
Please adjust the affected versions in the BTS as needed.
Markus
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#902774; Package jetty9.
(Sun, 01 Jul 2018 20:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Hugo Lefeuvre <hle@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sun, 01 Jul 2018 20:42:03 GMT) (full text, mbox, link).
Message #10 received at 902774@bugs.debian.org (full text, mbox, reply):
Hi,
FYI, none of the jetty releases present in Debian are affected by
CVE-2018-12538.
CVE-2018-12538 affects FileSessionDataStore and more specifically its
function getFile(). This class was introduced in 9.4, this
vulnerability thus affects 9.4.x releases only (and jetty package has
version < 9.0, jetty9 has <= 9.2.24).
FTR FileSessionDataStore was introduced in
fa8232d3c81608c25d9e8c66cdfe8ab7a66c892b and the vulnerable code in
54a56314627f0a2c33ca67d813e3396f6bc03274.
regards,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
Changed Bug title to 'jetty9: CVE-2017-7656 CVE-2017-7657 CVE-2017-7658 CVE-2018-12536' from 'jetty9: CVE-2017-7656 CVE-2017-7657 CVE-2017-7658 CVE-2018-12536 CVE-2018-12538'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 02 Jul 2018 17:51:03 GMT) (full text, mbox, link).
Marked as found in versions jetty9/9.2.24-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 02 Jul 2018 17:51:05 GMT) (full text, mbox, link).
Bug 902774 cloned as bug 902953
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 03 Jul 2018 20:48:03 GMT) (full text, mbox, link).
Changed Bug title to 'jetty9: CVE-2017-7656 CVE-2017-7657 CVE-2018-12536' from 'jetty9: CVE-2017-7656 CVE-2017-7657 CVE-2017-7658 CVE-2018-12536'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 03 Jul 2018 20:48:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#902774; Package jetty9.
(Wed, 04 Jul 2018 04:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Wed, 04 Jul 2018 04:27:05 GMT) (full text, mbox, link).
Message #23 received at 902774@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 jetty9: CVE-2018-12536
Control: retitle 902953 jetty9: CVE-2017-7656 CVE-2017-7657 CVE-2017-7658
Hi
After discussion with Emmanuel, CVE-2017-7656, CVE-2017-7657 and
VE-2017-7658 are fixed all in 9.2.25-1 with
https://github.com/eclipse/jetty.project/commit/a285deea .
So keeping this bug for the remaining one open for CVE-2018-12536.
Regards,
Salvatore
Changed Bug title to 'jetty9: CVE-2018-12536' from 'jetty9: CVE-2017-7656 CVE-2017-7657 CVE-2018-12536'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 902774-submit@bugs.debian.org.
(Wed, 04 Jul 2018 04:27:05 GMT) (full text, mbox, link).
Message sent on
to Markus Koschany <apo@debian.org>:
Bug#902774.
(Wed, 04 Jul 2018 04:27:08 GMT) (full text, mbox, link).
Marked as fixed in versions jetty9/9.2.25-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 05 Sep 2018 20:45:02 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 05 Sep 2018 20:45:03 GMT) (full text, mbox, link).
Notification sent
to Markus Koschany <apo@debian.org>:
Bug acknowledged by developer.
(Wed, 05 Sep 2018 20:45:04 GMT) (full text, mbox, link).
Message sent on
to Markus Koschany <apo@debian.org>:
Bug#902774.
(Wed, 05 Sep 2018 20:45:07 GMT) (full text, mbox, link).
Message #37 received at 902774-submitter@bugs.debian.org (full text, mbox, reply):
close 902774 9.2.25-1
thanks
# https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-documentation/src/main/asciidoc/reference/troubleshooting/security-reports.adoc
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 04 Oct 2018 07:30:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:33:53 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon