eclipse-sig

eclipse-sig@lists.fedoraproject.org

1366 discussions

[Bug 1945710] New: CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents
by bugzilla＠redhat.com 09 Sep '22

09 Sep '22

https://bugzilla.redhat.com/show_bug.cgi?id=1945710 Bug ID: 1945710 Summary: CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, ataylor(a)redhat.com, bibryam(a)redhat.com, bmontgom(a)redhat.com, chazlett(a)redhat.com, dbecker(a)redhat.com, drieden(a)redhat.com, eclipse-sig(a)lists.fedoraproject.org, eparis(a)redhat.com, eric.wittmann(a)redhat.com, etirelli(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, hbraun(a)redhat.com, ibek(a)redhat.com, janstey(a)redhat.com, java-maint(a)redhat.com, jburrell(a)redhat.com, jjohnstn(a)redhat.com, jjoyce(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jross(a)redhat.com, jschluet(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, krathod(a)redhat.com, krzysztof.daniel(a)gmail.com, kverlaen(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com, mat.booth(a)gmail.com, mburns(a)redhat.com, mizdebsk(a)redhat.com, mkolesni(a)redhat.com, mnovotny(a)redhat.com, nstielau(a)redhat.com, pantinor(a)redhat.com, pjindal(a)redhat.com, rrajasek(a)redhat.com, sclewis(a)redhat.com, scohen(a)redhat.com, slinaber(a)redhat.com, sochotni(a)redhat.com, sponnaga(a)redhat.com, swoodman(a)redhat.com, tzimanyi(a)redhat.com Target Milestone: --- Classification: Other In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory. References: https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888… -- You are receiving this mail because: You are on the CC list for the bug.

1 36

[Bug 1934116] New: CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS
by bugzilla＠redhat.com 09 Sep '22

09 Sep '22

https://bugzilla.redhat.com/show_bug.cgi?id=1934116 Bug ID: 1934116 Summary: CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: abenaiss(a)redhat.com, aboyko(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, ataylor(a)redhat.com, bibryam(a)redhat.com, bmontgom(a)redhat.com, chazlett(a)redhat.com, drieden(a)redhat.com, eclipse-sig(a)lists.fedoraproject.org, eparis(a)redhat.com, etirelli(a)redhat.com, ganandan(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gvarsami(a)redhat.com, hbraun(a)redhat.com, ibek(a)redhat.com, janstey(a)redhat.com, java-maint(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcoleman(a)redhat.com, jjohnstn(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, krzysztof.daniel(a)gmail.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, mat.booth(a)redhat.com, mcermak(a)redhat.com, mizdebsk(a)redhat.com, mnovotny(a)redhat.com, mprchlik(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, pantinor(a)redhat.com, patrickm(a)redhat.com, pbhattac(a)redhat.com, pdrozd(a)redhat.com, pjindal(a)redhat.com, rrajasek(a)redhat.com, rsynek(a)redhat.com, rwagner(a)redhat.com, sdaley(a)redhat.com, sd-operator-metering(a)redhat.com, sochotni(a)redhat.com, sponnaga(a)redhat.com, sthorger(a)redhat.com, tcunning(a)redhat.com, tflannag(a)redhat.com, tkirby(a)redhat.com, vbobade(a)redhat.com, vkadlcik(a)redhat.com Target Milestone: --- Classification: Other In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values. References: https://bugs.eclipse.org/bugs/show_bug.cgi?id=571128 https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww… -- You are receiving this mail because: You are on the CC list for the bug.

1 39

[Bug 1987678] New: lucene: FTBFS in Fedora rawhide/f35
by bugzilla＠redhat.com 08 Aug '22

08 Aug '22

https://bugzilla.redhat.com/show_bug.cgi?id=1987678 Bug ID: 1987678 Summary: lucene: FTBFS in Fedora rawhide/f35 Product: Fedora Version: rawhide Status: NEW Component: lucene Assignee: akurtako(a)redhat.com Reporter: releng(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: akurtako(a)redhat.com, dbhole(a)redhat.com, dchen(a)redhat.com, eclipse-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jerboaa(a)gmail.com, krzysztof.daniel(a)gmail.com, lef(a)fedoraproject.org, rgrunber(a)redhat.com Blocks: 1927309 (F35FTBFS,RAWHIDEFTBFS) Target Milestone: --- Classification: Fedora lucene failed to build from source in Fedora rawhide/f35 https://koji.fedoraproject.org/koji/taskinfo?taskID=72400674 For details on the mass rebuild see: https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild Please fix lucene at your earliest convenience and set the bug's status to ASSIGNED when you start fixing it. If the bug remains in NEW state for 8 weeks, lucene will be orphaned. Before branching of Fedora 36, lucene will be retired, if it still fails to build. For more details on the FTBFS policy, please visit: https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails… Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1927309 [Bug 1927309] Fedora 35 FTBFS Tracker -- You are receiving this mail because: You are on the CC list for the bug.

1 9

[Bug 1944888] New: CVE-2021-21409 netty: Request smuggling via content-length header
by bugzilla＠redhat.com 05 Jul '22

05 Jul '22

https://bugzilla.redhat.com/show_bug.cgi?id=1944888 Bug ID: 1944888 Summary: CVE-2021-21409 netty: Request smuggling via content-length header Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: aboyko(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, akurtako(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, andjrobins(a)gmail.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, asoldano(a)redhat.com, atangrin(a)redhat.com, ataylor(a)redhat.com, avibelli(a)redhat.com, bbaranow(a)redhat.com, bbuckingham(a)redhat.com, bcourt(a)redhat.com, bgeorges(a)redhat.com, bkearney(a)redhat.com, bmaxwell(a)redhat.com, bmontgom(a)redhat.com, brian.stansberry(a)redhat.com, btotty(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, clement.escoffier(a)redhat.com, dandread(a)redhat.com, darran.lofthouse(a)redhat.com, dbecker(a)redhat.com, dbhole(a)redhat.com, dkreling(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, ebaron(a)redhat.com, eclipse-sig(a)lists.fedoraproject.org, eleandro(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org, fjuma(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gsmet(a)redhat.com, hamadhan(a)redhat.com, hhudgeon(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcantril(a)redhat.com, jerboaa(a)gmail.com, jjohnstn(a)redhat.com, jjoyce(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jpallich(a)redhat.com, jperkins(a)redhat.com, jross(a)redhat.com, jschluet(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kaycoth(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, kwills(a)redhat.com, lef(a)fedoraproject.org, lgao(a)redhat.com, lhh(a)redhat.com, loleary(a)redhat.com, lpeer(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com, mat.booth(a)gmail.com, mburns(a)redhat.com, mkolesni(a)redhat.com, mmccune(a)redhat.com, mnovotny(a)redhat.com, msochure(a)redhat.com, msvehla(a)redhat.com, mszynkie(a)redhat.com, nmoumoul(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, pcreech(a)redhat.com, pdrozd(a)redhat.com, peholase(a)redhat.com, pgallagh(a)redhat.com, pjindal(a)redhat.com, pmackay(a)redhat.com, probinso(a)redhat.com, rchan(a)redhat.com, rgodfrey(a)redhat.com, rgrunber(a)redhat.com, rguimara(a)redhat.com, rjerrido(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rstancel(a)redhat.com, rsvoboda(a)redhat.com, rsynek(a)redhat.com, sbiarozk(a)redhat.com, sclewis(a)redhat.com, scohen(a)redhat.com, sdaley(a)redhat.com, sd-operator-metering(a)redhat.com, sdouglas(a)redhat.com, slinaber(a)redhat.com, smaestri(a)redhat.com, sochotni(a)redhat.com, sokeeffe(a)redhat.com, spinder(a)redhat.com, sponnaga(a)redhat.com, sthorger(a)redhat.com, swoodman(a)redhat.com, tbrisker(a)redhat.com, tflannag(a)redhat.com, theute(a)redhat.com, tom.jenkinson(a)redhat.com, yborgess(a)redhat.com Target Milestone: --- Classification: Other Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. References: https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0… https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32 https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj -- You are receiving this mail because: You are on the CC list for the bug.

1 55

[Bug 1937364] New: CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation
by bugzilla＠redhat.com 05 Jul '22

05 Jul '22

https://bugzilla.redhat.com/show_bug.cgi?id=1937364 Bug ID: 1937364 Summary: CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: aboyko(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, akurtako(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, andjrobins(a)gmail.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, asoldano(a)redhat.com, atangrin(a)redhat.com, ataylor(a)redhat.com, avibelli(a)redhat.com, bbaranow(a)redhat.com, bbuckingham(a)redhat.com, bcourt(a)redhat.com, bgeorges(a)redhat.com, bkearney(a)redhat.com, bmaxwell(a)redhat.com, bmontgom(a)redhat.com, brian.stansberry(a)redhat.com, btotty(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, clement.escoffier(a)redhat.com, dandread(a)redhat.com, darran.lofthouse(a)redhat.com, dbecker(a)redhat.com, dbhole(a)redhat.com, decathorpe(a)gmail.com, dkreling(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, ebaron(a)redhat.com, eclipse-sig(a)lists.fedoraproject.org, eleandro(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org, fjuma(a)redhat.com, ganandan(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gsmet(a)redhat.com, hamadhan(a)redhat.com, hhudgeon(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcantril(a)redhat.com, jerboaa(a)gmail.com, jjohnstn(a)redhat.com, jjoyce(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jpallich(a)redhat.com, jperkins(a)redhat.com, jross(a)redhat.com, jschluet(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kaycoth(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, kwills(a)redhat.com, lef(a)fedoraproject.org, lgao(a)redhat.com, lhh(a)redhat.com, loleary(a)redhat.com, lpeer(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com, mat.booth(a)redhat.com, mburns(a)redhat.com, mkolesni(a)redhat.com, mmccune(a)redhat.com, mnovotny(a)redhat.com, msochure(a)redhat.com, msvehla(a)redhat.com, mszynkie(a)redhat.com, nmoumoul(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, pcreech(a)redhat.com, pdrozd(a)redhat.com, peholase(a)redhat.com, pgallagh(a)redhat.com, pjindal(a)redhat.com, pmackay(a)redhat.com, probinso(a)redhat.com, rchan(a)redhat.com, rgodfrey(a)redhat.com, rgrunber(a)redhat.com, rguimara(a)redhat.com, rjerrido(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rstancel(a)redhat.com, rsvoboda(a)redhat.com, rsynek(a)redhat.com, sbiarozk(a)redhat.com, sclewis(a)redhat.com, scohen(a)redhat.com, sdaley(a)redhat.com, sd-operator-metering(a)redhat.com, sdouglas(a)redhat.com, slinaber(a)redhat.com, smaestri(a)redhat.com, sochotni(a)redhat.com, sokeeffe(a)redhat.com, spinder(a)redhat.com, sponnaga(a)redhat.com, sthorger(a)redhat.com, swoodman(a)redhat.com, tbrisker(a)redhat.com, tflannag(a)redhat.com, theute(a)redhat.com, tom.jenkinson(a)redhat.com, yborgess(a)redhat.com Target Milestone: --- Classification: Other Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. Reference: https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj Upstream patch: https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3… -- You are receiving this mail because: You are on the CC list for the bug.

1 47

[Bug 2095426] New: [RFE] jetty use systemd-sysusers
by bugzilla＠redhat.com 09 Jun '22

09 Jun '22

https://bugzilla.redhat.com/show_bug.cgi?id=2095426 Bug ID: 2095426 Summary: [RFE] jetty use systemd-sysusers Product: Fedora Version: 36 Status: NEW Component: jetty Assignee: mat.booth(a)gmail.com Reporter: riehecky(a)fnal.gov QA Contact: extras-qa(a)fedoraproject.org CC: eclipse-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jjohnstn(a)redhat.com, krzysztof.daniel(a)gmail.com, mat.booth(a)gmail.com, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora Description of problem: jetty is using static user add scripts Version-Release number of selected component (if applicable): jetty-9.4.38-2 How reproducible: 100% Steps to Reproduce: 1.review %pre 2. 3. Actual results: %pre # Add the "jetty" user and group getent group %username >/dev/null || groupadd -f -g %jtuid -r %username if ! getent passwd %username >/dev/null ; then if ! getent passwd %jtuid >/dev/null ; then useradd -r -u %jtuid -g %username -d %homedir -s /sbin/nologin \ -c "Jetty web server" %username else useradd -r -g %username -d %homedir -s /sbin/nologin \ -c "Jetty web server" %username fi fi exit 0 Expected results: use of system-sysusers Additional info: https://www.freedesktop.org/software/systemd/man/systemd-sysusers.html https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2095426

1 0

[Bug 1985223] New: CVE-2021-34429 jetty: crafted URIs allow bypassing security constraints
by bugzilla＠redhat.com 07 Jun '22

07 Jun '22

https://bugzilla.redhat.com/show_bug.cgi?id=1985223 Bug ID: 1985223 Summary: CVE-2021-34429 jetty: crafted URIs allow bypassing security constraints Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: mrehak(a)redhat.com CC: abenaiss(a)redhat.com, aileenc(a)redhat.com, aos-bugs(a)redhat.com, ataylor(a)redhat.com, bibryam(a)redhat.com, bmontgom(a)redhat.com, chazlett(a)redhat.com, dbecker(a)redhat.com, drieden(a)redhat.com, eclipse-sig(a)lists.fedoraproject.org, eparis(a)redhat.com, eric.wittmann(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, hbraun(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jjohnstn(a)redhat.com, jjoyce(a)redhat.com, jkang(a)redhat.com, jnethert(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jross(a)redhat.com, jschluet(a)redhat.com, jwon(a)redhat.com, krzysztof.daniel(a)gmail.com, lhh(a)redhat.com, lpeer(a)redhat.com, mat.booth(a)gmail.com, mburns(a)redhat.com, mizdebsk(a)redhat.com, mkolesni(a)redhat.com, nstielau(a)redhat.com, pantinor(a)redhat.com, pbhattac(a)redhat.com, pjindal(a)redhat.com, sclewis(a)redhat.com, scohen(a)redhat.com, sd-operator-metering(a)redhat.com, slinaber(a)redhat.com, sochotni(a)redhat.com, sponnaga(a)redhat.com, swoodman(a)redhat.com, tflannag(a)redhat.com, vbobade(a)redhat.com Target Milestone: --- Classification: Other For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. Upstream Issue: https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w… -- You are receiving this mail because: You are on the CC list for the bug.

1 18

[Bug 1985225] New: CVE-2021-34429 jetty: crafted URIs allow bypassing security constraints [fedora-all]
by bugzilla＠redhat.com 07 Jun '22

07 Jun '22

https://bugzilla.redhat.com/show_bug.cgi?id=1985225 Bug ID: 1985225 Summary: CVE-2021-34429 jetty: crafted URIs allow bypassing security constraints [fedora-all] Product: Fedora Version: 34 Status: NEW Component: jetty Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: mat.booth(a)gmail.com Reporter: mrehak(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: eclipse-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jjohnstn(a)redhat.com, krzysztof.daniel(a)gmail.com, mat.booth(a)gmail.com, mizdebsk(a)redhat.com, sochotni(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1974891] New: CVE-2021-34428 jetty: SessionListener can prevent a session from being invalidated breaking logout
by bugzilla＠redhat.com 07 Jun '22

07 Jun '22

https://bugzilla.redhat.com/show_bug.cgi?id=1974891 Bug ID: 1974891 Summary: CVE-2021-34428 jetty: SessionListener can prevent a session from being invalidated breaking logout Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: abenaiss(a)redhat.com, aileenc(a)redhat.com, aos-bugs(a)redhat.com, ataylor(a)redhat.com, bibryam(a)redhat.com, bmontgom(a)redhat.com, chazlett(a)redhat.com, dbecker(a)redhat.com, drieden(a)redhat.com, eclipse-sig(a)lists.fedoraproject.org, eparis(a)redhat.com, eric.wittmann(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, hbraun(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jjohnstn(a)redhat.com, jjoyce(a)redhat.com, jkang(a)redhat.com, jnethert(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jross(a)redhat.com, jschluet(a)redhat.com, jwon(a)redhat.com, krzysztof.daniel(a)gmail.com, lhh(a)redhat.com, lpeer(a)redhat.com, mat.booth(a)gmail.com, mburns(a)redhat.com, mizdebsk(a)redhat.com, mkolesni(a)redhat.com, nstielau(a)redhat.com, pantinor(a)redhat.com, pbhattac(a)redhat.com, sclewis(a)redhat.com, scohen(a)redhat.com, sd-operator-metering(a)redhat.com, slinaber(a)redhat.com, sochotni(a)redhat.com, sponnaga(a)redhat.com, swoodman(a)redhat.com, tflannag(a)redhat.com, vbobade(a)redhat.com Target Milestone: --- Classification: Other For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in. Reference: https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx… -- You are receiving this mail because: You are on the CC list for the bug.

1 26

[Bug 1974892] New: CVE-2021-34428 jetty: SessionListener can prevent a session from being invalidated breaking logout [fedora-all]
by bugzilla＠redhat.com 07 Jun '22

07 Jun '22

https://bugzilla.redhat.com/show_bug.cgi?id=1974892 Bug ID: 1974892 Summary: CVE-2021-34428 jetty: SessionListener can prevent a session from being invalidated breaking logout [fedora-all] Product: Fedora Version: 34 Status: NEW Component: jetty Keywords: Security, SecurityTracking Severity: low Priority: low Assignee: mat.booth(a)gmail.com Reporter: gsuckevi(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: eclipse-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jjohnstn(a)redhat.com, krzysztof.daniel(a)gmail.com, mat.booth(a)gmail.com, mizdebsk(a)redhat.com, sochotni(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

1 4

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

eclipse-sig