CVE-2009-1523: Directory traversal vulnerability in the HTTP server in Mort Bay Jetty

Debian Bug report logs - #528389
CVE-2009-1523: Directory traversal vulnerability in the HTTP server in Mort Bay Jetty

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>

To: submit@bugs.debian.org

Subject: CVE-2009-1523: Directory traversal vulnerability in the HTTP server in Mort Bay Jetty

Date: Tue, 12 May 2009 13:00:42 -0300

Package: jetty
Severity: serious
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for jetty.

CVE-2009-1523[0]:
| Directory traversal vulnerability in the HTTP server in Mort Bay Jetty
| before 6.1.17, and 7.0.0.M2 and earlier 7.x versions, allows remote
| attackers to access arbitrary files via directory traversal sequences
| in the URI.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1523
    http://security-tracker.debian.net/tracker/CVE-2009-1523

Message #14 received at 528389-done@bugs.debian.org (full text, mbox, reply):

From: Niels Thykier <niels@thykier.net>

To: 528389-done@bugs.debian.org

Subject: Fixed - just not closed.

Date: Tue, 25 Aug 2009 09:43:19 +0200

[Message part 1 (text/plain, inline)]

Hi

This was fixed in 6.1.19-1, but never closed. The CVE was not in the
changelog, however I have filed a new bug asking the jetty uploaders to
fix this (#543462).
	
~Niels

[signature.asc (application/pgp-signature, inline)]

[signature.asc (application/pgp-signature, attachment)]

Message #19 received at 528389-close@bugs.debian.org (full text, mbox, reply):

From: Torsten Werner <twerner@debian.org>

To: 528389-close@bugs.debian.org

Subject: Bug#528389: fixed in jetty 6.1.20-1

Date: Sun, 06 Sep 2009 21:34:40 +0000

Source: jetty
Source-Version: 6.1.20-1

We believe that the bug you reported is fixed in the latest version of
jetty, which is due to be installed in the Debian FTP archive:

jetty_6.1.20-1.diff.gz
  to pool/main/j/jetty/jetty_6.1.20-1.diff.gz
jetty_6.1.20-1.dsc
  to pool/main/j/jetty/jetty_6.1.20-1.dsc
jetty_6.1.20-1_all.deb
  to pool/main/j/jetty/jetty_6.1.20-1_all.deb
jetty_6.1.20.orig.tar.gz
  to pool/main/j/jetty/jetty_6.1.20.orig.tar.gz
libjetty-extra-java_6.1.20-1_all.deb
  to pool/main/j/jetty/libjetty-extra-java_6.1.20-1_all.deb
libjetty-java-doc_6.1.20-1_all.deb
  to pool/main/j/jetty/libjetty-java-doc_6.1.20-1_all.deb
libjetty-java_6.1.20-1_all.deb
  to pool/main/j/jetty/libjetty-java_6.1.20-1_all.deb
libjetty-setuid-java_6.1.20-1_amd64.deb
  to pool/main/j/jetty/libjetty-setuid-java_6.1.20-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 528389@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Torsten Werner <twerner@debian.org> (supplier of updated jetty package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 06 Sep 2009 23:06:45 +0200
Source: jetty
Binary: libjetty-java libjetty-java-doc libjetty-extra-java libjetty-setuid-java jetty
Architecture: source all amd64
Version: 6.1.20-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Torsten Werner <twerner@debian.org>
Description: 
 jetty      - Java servlet engine and webserver
 libjetty-extra-java - Java servlet engine and webserver -- extra libraries
 libjetty-java - Java servlet engine and webserver -- core libraries
 libjetty-java-doc - Javadoc for the Jetty API
 libjetty-setuid-java - Java servlet engine and webserver -- extra libraries
Closes: 425152 452586 454529 454529 458399 498582 527571 527571 528389 528389 530720 540861 543462
Changes: 
 jetty (6.1.20-1) unstable; urgency=medium
 .
   [ Niels Thykier ]
   * New upstream release.
   * Stop using Build-Depends-Indep, since the policy and the build
     daemons disagree on when it should be used (Closes: #540861).
   * Corrected jetty.install to reflect the move of some license files
     in the source tree.
   * Bumped to Standard-Versions 3.8.3 - no changes required.
   * Updated jetty.post{install,rm} scripts to use "set -e" instead of
     passing it to sh.
   * Installed "VERSION.txt" as upstream changelog.
   * A previous version (6.1.18-1) fixed the following security problems, which
     were not mentioned in the changelog: CVE-2007-5613, CVE-2007-5614,
     CVE-2007-5615, CVE-2009-1523, and CVE-2009-1524 (see below for more
     information).
 .
   [ Torsten Werner ]
   * Set urgency to medium because this version fixes a FTBFS.
 .
 jetty (6.1.19-2) unstable; urgency=low
 .
   * Upload to unstable.
 .
 jetty (6.1.19-1) experimental; urgency=low
 .
   [ Ludovic Claude ]
   * New upstream release fixing a security vulnerability
     (cookies are not secure if you are running behind a netscaler).
   * Remove the bootstrap patch as it has been added upstream and update
     the build to use the new start-daemon component.
   * Remove the Build-Depend on quilt as the patch is not needed anymore.
   * Add the Maven POM to the package.
   * Add a Build-Depends dependency on maven-repo-helper.
   * Use mh_installpom and mh_installjar to install the POM and the jar to the
     Maven repository.
   * Add optional support for web applications located in /usr/share/webapps.
   * Add a cron job that cleans up the old log files in /var/log/jetty.
   * Register the Javadoc into Debian documentation and put it in a
     separate package (libjetty-java-doc).
   * Use openjdk-6-jdk for the build; add a Build-Depends on this
     package. Required to build the javadoc.
   * Update debian/copyright (patch provided by Jan Pascal Vanbest
     <janpascal@vanbest.org>).
 .
   [ Torsten Werner ]
   * Add myself to Uploaders.
   * Update Standards-Version: 3.8.2.
   * Move package libjetty-java-doc to Section: doc.
   * Fix init script: check for /etc/default/rcS before reading it.
 .
 jetty (6.1.18-1) unstable; urgency=low
 .
   [Ludovic Claude]
   * Add myself to Uploaders.
   * Change the build dependency on java-gcj to default-jdk.
   * Add init.d startup script.
   * Add dependencies on ant, libslf4j-java, libxerces2-java, libtomcat6-java
     for libjetty-extra-java, add links for the lib folder.
   * Add dependency on jsvc to run jetty as a daemon.
   * Add the package libjetty-setuid-java for the Setuid module (with native
     code).
   * Add an index page used when Jetty starts.
   * Use latest jasper from Tomcat to provide jsp 2.1 instead of
     Glassfish JSP implementation as in the standard distribution.
   * Add tools.jar to the classpath to be able to run JSP (Closes: #452586).
   * Fix Lintian warnings: add ${misc:Depends} to all Depends.
   * Move jetty to main as all its dependencies are in main,
     and jetty contains only code that complies with Debian guidelines,
     use java section like tomcat6
     (Closes: #498582).
   * Do not depend on tomcat 5.5 (Closes: #530720, #458399).
   * Remove empty prerm and preinst scripts.
   * Remove old patches that don't apply anymore.
   * Update copyright and remove full text of Apache license.
   * Bump up compat to 6 and Standards-Version to 3.8.1.
 .
   [David Yu]
   * New upstream release for jetty
     (Closes: #528389, #527571, #454529, #425152).
   * Fixed jetty.links. Now delegates install of start.jar to libjetty-java.
 .
   [ Torsten Werner ]
   * fixes several security issues:
     - CVE-2007-5613: Cross-site scripting (XSS) vulnerability in Dump Servlet.
     - CVE-2007-5614: Quote Sequence vulnerability.
     - CVE-2007-5615: CRLF injection vulnerability.
     - CVE-2009-1523: Directory traversal vulnerability in the HTTP server in
     Mort Bay Jetty.
     - CVE-2009-1524: Cross-site scripting (XSS) vulnerability in Mort
     Bay Jetty.
     (Closes: #454529, #528389, #527571, #543462).
Checksums-Sha1: 
 cc9fa191dd73d66aedcef05acee5e2d9b1d8016c 1605 jetty_6.1.20-1.dsc
 cc2c8784dd9d25be5a89fe3315ef1ab481d0cdba 2051081 jetty_6.1.20.orig.tar.gz
 fd0b083a6b199d0aebf6b15f5796f006f4333460 18125 jetty_6.1.20-1.diff.gz
 e31651813c90383cb7ddc1cc8069fdfbe082ef5e 769390 libjetty-java_6.1.20-1_all.deb
 29182c16ef3ae40947429305ebc251f7d2b34985 745354 libjetty-java-doc_6.1.20-1_all.deb
 cf455696221952ccee11e5fb04399792a28fe582 254872 libjetty-extra-java_6.1.20-1_all.deb
 4f55ca9d4a04773025e26ab7ba410934f4a6e7d1 848986 jetty_6.1.20-1_all.deb
 7642167b67aed0614c2c6eb3f9d92abff97ab4eb 68278 libjetty-setuid-java_6.1.20-1_amd64.deb
Checksums-Sha256: 
 270ee8453b154f2c9c41e99c14328da7e68eabdfeb1a8bc403e0e8ac4cfbc80a 1605 jetty_6.1.20-1.dsc
 213a436999ce5614869a359335c834a7dbb61c4aa94e018e9a801fbc59ffcb49 2051081 jetty_6.1.20.orig.tar.gz
 dce11b30abcfda11e9b943d3d5cdf560018c020b411e33b42fd1851fa9dbb1fa 18125 jetty_6.1.20-1.diff.gz
 70a60804575b8fd95d730a29d5990140d09a7c046a3fccd13064d1590344bdc4 769390 libjetty-java_6.1.20-1_all.deb
 00ac7ffc3c7df0a0ad539c36e65dc8043d62a199c29c200bcff999c5b17b3922 745354 libjetty-java-doc_6.1.20-1_all.deb
 2139cb11284b339c8c88f94c3dba37fd30696896edad54caddd534437935342e 254872 libjetty-extra-java_6.1.20-1_all.deb
 fae4889da4f0e8769557943164325ead0e2ba0fc5b01d1845171dc4e4764ec8a 848986 jetty_6.1.20-1_all.deb
 5b7e3056d86908840d213320485c73d2fce10fc4b383f3ea8338853e70e94636 68278 libjetty-setuid-java_6.1.20-1_amd64.deb
Files: 
 6951ff5cd4d591e4ecdc3fde42ce1d8b 1605 java optional jetty_6.1.20-1.dsc
 891a807131b74b67e2ebaf3c631614e1 2051081 java optional jetty_6.1.20.orig.tar.gz
 c1f0540c34722f8c70001a47525f6c1a 18125 java optional jetty_6.1.20-1.diff.gz
 4252291b405972d97b2434e22d99a7ab 769390 java optional libjetty-java_6.1.20-1_all.deb
 8aa6ee5712c6ad84057cd0aec4223740 745354 doc optional libjetty-java-doc_6.1.20-1_all.deb
 20fe0fb192e5a6b7b98abc0e692f5a8d 254872 java optional libjetty-extra-java_6.1.20-1_all.deb
 508bf888d8d5f68e6320c5dafdc39541 848986 java optional jetty_6.1.20-1_all.deb
 4084484c2e3bd42fd01199f6d1c9986e 68278 java optional libjetty-setuid-java_6.1.20-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqkJ2MACgkQfY3dicTPjsOt4ACgjKmi/dkLbrgo+WbHmryTATFG
/VkAn2OKy6HFaZe6ChA28efD7B+fa26S
=vKvG
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.