jetty9: CVE-2019-10241 CVE-2019-10247

Debian Bug report logs - #928444
jetty9: CVE-2019-10241 CVE-2019-10247

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: jetty9: CVE-2019-10241 CVE-2019-10247

Date: Sat, 04 May 2019 20:57:31 +0200

Source: jetty9
Version: 9.4.15-1
Severity: important
Tags: security upstream fixed-upstream

Hi,

The following vulnerabilities were published for jetty9. Although they
are distinct issues, and one is adressed in 9.4.16 and the other in
4.9.17 I still opted to fill one single bug, assuming the next update
will move to at least 9.4.17.

CVE-2019-10241[0]:
| In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and
| 9.4.15 and older, the server is vulnerable to XSS conditions if a
| remote client USES a specially formatted URL against the
| DefaultServlet or ResourceHandler that is configured for showing a
| Listing of directory contents.


CVE-2019-10247[1]:
| In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older,
| and 9.4.16 and older, the server running on any OS and Jetty version
| combination will reveal the configured fully qualified directory base
| resource location on the output of the 404 error for not finding a
| Context that matches the requested path. The default server behavior
| on jetty-distribution and jetty-home will include at the end of the
| Handler tree a DefaultHandler, which is responsible for reporting this
| 404 error, it presents the various configured contexts as HTML for
| users to click through to. This produced HTML includes output that
| contains the configured fully qualified directory base resource
| location for each context.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-10241
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241
    https://bugs.eclipse.org/bugs/show_bug.cgi?id=546121
[1] https://security-tracker.debian.org/tracker/CVE-2019-10247
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247
    https://bugs.eclipse.org/bugs/show_bug.cgi?id=546577

Regards,
Salvatore

Message #10 received at 928444-close@bugs.debian.org (full text, mbox, reply):

From: tony mancill <tmancill@debian.org>

To: 928444-close@bugs.debian.org

Subject: Bug#928444: fixed in jetty9 9.4.18-1

Date: Mon, 06 May 2019 04:19:33 +0000

Source: jetty9
Source-Version: 9.4.18-1

We believe that the bug you reported is fixed in the latest version of
jetty9, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928444@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated jetty9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 05 May 2019 19:57:45 -0700
Source: jetty9
Architecture: source
Version: 9.4.18-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Closes: 928444
Changes:
 jetty9 (9.4.18-1) experimental; urgency=medium
 .
   * Team upload.
   * New upstream release
     - Addresses CVE-2019-10241, CVE-2019-10247 (Closes: #928444)
   * Freshen years in debian/copyright
   * Refresh patches for new upstream version
   * Add org.eclipse.jetty:infinispan-embedded et.al. to maven.ignoreRules
   * Update 09-tweak-distribution patch (jetty-home pom)
Checksums-Sha1:
 050f80c11729a966c0d78df835845c6cdf2090cb 2622 jetty9_9.4.18-1.dsc
 0eeecaeb08d9a2b45904a2a92cc10f53eaf662bc 10301968 jetty9_9.4.18.orig.tar.xz
 f4898cbbba9d6461c4b21c039ea93b4ce67083be 28216 jetty9_9.4.18-1.debian.tar.xz
 2b426a00fb47ad050495c21b2d052c6ccf028058 18079 jetty9_9.4.18-1_amd64.buildinfo
Checksums-Sha256:
 7b905e2d37e820c65519246c0f682788dc5bdf532020ffeaaef3f0faee20d7a4 2622 jetty9_9.4.18-1.dsc
 935161b28243806a45ff8d96dfa777f3d24f02710d52bea1750ea6edfe5c36d8 10301968 jetty9_9.4.18.orig.tar.xz
 35ea40f19a20870ce2b0ed4b53b8d65371b1ed91e82bf285ad076109d399b820 28216 jetty9_9.4.18-1.debian.tar.xz
 4ba5cc9f2e4321aec915d19b0e47c4010dec144069c027fbb6d883e40cf9d917 18079 jetty9_9.4.18-1_amd64.buildinfo
Files:
 4a1cf7b3a7dc28520fe2bd11fbcaa95c 2622 java optional jetty9_9.4.18-1.dsc
 013159ba52323b1d2fa4d27273e2c9ff 10301968 java optional jetty9_9.4.18.orig.tar.xz
 b921ec92774d585fa2f011e32ed0fa18 28216 java optional jetty9_9.4.18-1.debian.tar.xz
 8de10908581599ec0cc2d9bc0003cc22 18079 java optional jetty9_9.4.18-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAlzPsHYUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpZn7w/44bMBsL8OyvC6H9O230rygQAZLJv1
wPjt8sVWUAT9cx1M9haoAEmF6xbVtCnE0kDCWDbxiw36Pufod4SUgMw1XM5psZe1
236DlltyYaPu/UJ1lcwxEpf4XXLtCDryA2+BlviVfsA3sfhL2PuDNkLVn7f8L83Z
uC9vDnieOKN50y802xNLAz7tS+y4iVgc8ridhk6xeczqxS19pdryRhvIXQqyCpm7
2a5yX+7xYKacBcG7/IOGw7LuQQPG4ib1UnF5jsahAhPUcoX6L0o0Gxv/3PR3rWuG
spdOJx3GtDNg67/O974u1s28bhCy3H4tV8sVczRZQGIIAyDOxWpfHqNZkNHlUbUV
TA/dNtKRvJP6uvmhoEqf8V9WaPaEreP6S/8ei5erjZaGwS3HyDTY0vcA/W1QI6iU
tlbhuebrcc5pNjGR3AerbYBAicq6nQw4fBGe9aBK0zoCSWk6K0wcDm66fFPnsbeP
NjEF/oMFtCuRtaPFhHEEynXarNtGk5LaZ2xNwJsv1SFIFmrVPY3yOpAWoQL7IVz6
L9VBkdbrU6e2k72bv7VKV9JeoV42br3fM1+agj6x9fXJxrDJ/NtBCdQQddU9eZ1q
O5xXhcUNbiMJdEqYMbHoV6hNzrQmNNSuV3o+dp5STBM40evef4yKDFV2G02Ou5t5
H2oVy2LXQqFbSg==
=uGq6
-----END PGP SIGNATURE-----

Message #15 received at 928444@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: tony mancill <tmancill@debian.org>

Cc: 928444@bugs.debian.org

Subject: Re: Bug#928444: fixed in jetty9 9.4.18-1

Date: Sun, 26 May 2019 21:24:30 +0200

On Mon, May 06, 2019 at 04:19:33AM +0000, tony mancill wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Format: 1.8
> Date: Sun, 05 May 2019 19:57:45 -0700
> Source: jetty9
> Architecture: source
> Version: 9.4.18-1
> Distribution: experimental
> Urgency: medium
> Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
> Changed-By: tony mancill <tmancill@debian.org>
> Closes: 928444
> Changes:
>  jetty9 (9.4.18-1) experimental; urgency=medium
>  .
>    * Team upload.
>    * New upstream release
>      - Addresses CVE-2019-10241, CVE-2019-10247 (Closes: #928444)

What's the plan for unstable/buster?

Cheers,
        Moritz

Message #20 received at 928444@bugs.debian.org (full text, mbox, reply):

From: tony mancill <tmancill@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>, ebourg@apache.org

Cc: 928444@bugs.debian.org

Subject: Re: Bug#928444: fixed in jetty9 9.4.18-1

Date: Sun, 26 May 2019 15:14:56 -0700

[Message part 1 (text/plain, inline)]

On Sun, May 26, 2019 at 09:24:30PM +0200, Moritz Mühlenhoff wrote:
> On Mon, May 06, 2019 at 04:19:33AM +0000, tony mancill wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> > 
> > Format: 1.8
> > Date: Sun, 05 May 2019 19:57:45 -0700
> > Source: jetty9
> > Architecture: source
> > Version: 9.4.18-1
> > Distribution: experimental
> > Urgency: medium
> > Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
> > Changed-By: tony mancill <tmancill@debian.org>
> > Closes: 928444
> > Changes:
> >  jetty9 (9.4.18-1) experimental; urgency=medium
> >  .
> >    * Team upload.
> >    * New upstream release
> >      - Addresses CVE-2019-10241, CVE-2019-10247 (Closes: #928444)
> 
> What's the plan for unstable/buster?

Hi Moritz,

Good question!  I uploaded the new version to experimental so users had
at least one option within Debian for addressing those CVEs, but I
haven't looked into what it would take to backport just the CVE patches
to 9.4.15.

Are we deep enough into the freeze that it is reasonable to go ahead and
upload to unstable?  (I'm never sure how to judge these things.)

For buster, t-p-u would have a quick turn around, but there are a number
of upstream changes between 9.4.15 and 9.4.18 [1], and I don't have a
good sense for the risk trade-off between the new version and the
backport.  Since I haven't handled any of the jetty9 uploads, I would
like to defer to Emmanuel to see if he has a preference.

Thank you,
tony

[1] https://salsa.debian.org/java-team/jetty9/blob/be3f955ab42b5612e1022667216f8453812f5277/VERSION.txt#L1-43

[signature.asc (application/pgp-signature, inline)]

Message #25 received at 928444@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: tony mancill <tmancill@debian.org>, Moritz Mühlenhoff <jmm@inutil.org>

Cc: 928444@bugs.debian.org

Subject: Re: Bug#928444: fixed in jetty9 9.4.18-1

Date: Mon, 27 May 2019 09:06:38 +0200

Le 27/05/2019 à 00:14, tony mancill a écrit :

> For buster, t-p-u would have a quick turn around, but there are a number
> of upstream changes between 9.4.15 and 9.4.18 [1], and I don't have a
> good sense for the risk trade-off between the new version and the
> backport.  Since I haven't handled any of the jetty9 uploads, I would
> like to defer to Emmanuel to see if he has a preference.

Jetty minor updates are usually quite stable. Looking at the diff,
focusing on the code built only, the upgrade to 9.4.18 is under 9K lines
changed.

ebourg@icare:~/packaging/jetty9 [master|⚑ 4] $ git diff -w
upstream/9.4.15..upstream/9.4.18 -- ':!*Jenkins*' ':!*/pom.xml'
':!*/test/*' ':!jetty-alpn/jetty-alpn-conscrypt*' ':!jetty-hazelcast/*'
':!jetty-ininispan/*' ':!tests' ':!jetty-maven-plugin/*' ':!jetty-jmh/*'
':!examples/*' | wc
   8698   30628  355212

If the Release Team agrees I wouldn't mind pushing 9.4.18 to testing.

Emmanuel Bourg

Send a report that this bug log contains spam.