https://bugzilla.redhat.com/show_bug.cgi?id=1945710
Bug ID: 1945710
Summary: CVE-2021-28163 jetty: Symlink directory exposes webapp
directory contents
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: aileenc(a)redhat.com, akoufoud(a)redhat.com,
alazarot(a)redhat.com, almorale(a)redhat.com,
anstephe(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, dbecker(a)redhat.com,
drieden(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eparis(a)redhat.com, eric.wittmann(a)redhat.com,
etirelli(a)redhat.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, hbraun(a)redhat.com,
ibek(a)redhat.com, janstey(a)redhat.com,
java-maint(a)redhat.com, jburrell(a)redhat.com,
jjohnstn(a)redhat.com, jjoyce(a)redhat.com,
jochrist(a)redhat.com, jokerman(a)redhat.com,
jross(a)redhat.com, jschluet(a)redhat.com,
jstastny(a)redhat.com, jwon(a)redhat.com,
krathod(a)redhat.com, krzysztof.daniel(a)gmail.com,
kverlaen(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com,
mat.booth(a)gmail.com, mburns(a)redhat.com,
mizdebsk(a)redhat.com, mkolesni(a)redhat.com,
mnovotny(a)redhat.com, nstielau(a)redhat.com,
pantinor(a)redhat.com, pjindal(a)redhat.com,
rrajasek(a)redhat.com, sclewis(a)redhat.com,
scohen(a)redhat.com, slinaber(a)redhat.com,
sochotni(a)redhat.com, sponnaga(a)redhat.com,
swoodman(a)redhat.com, tzimanyi(a)redhat.com
Target Milestone: ---
Classification: Other
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to
11.0.1, if a user uses a webapps directory that is a symlink, the contents of
the webapps directory is deployed as a static webapp, inadvertently serving the
webapps themselves and anything else that might be in that directory.
References:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1934116
Bug ID: 1934116
Summary: CVE-2020-27223 jetty: request containing multiple
Accept headers with a large number of "quality"
parameters may lead to DoS
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: abenaiss(a)redhat.com, aboyko(a)redhat.com,
aileenc(a)redhat.com, akoufoud(a)redhat.com,
alazarot(a)redhat.com, almorale(a)redhat.com,
anstephe(a)redhat.com, aos-bugs(a)redhat.com,
ataylor(a)redhat.com, bibryam(a)redhat.com,
bmontgom(a)redhat.com, chazlett(a)redhat.com,
drieden(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eparis(a)redhat.com, etirelli(a)redhat.com,
ganandan(a)redhat.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, gvarsami(a)redhat.com,
hbraun(a)redhat.com, ibek(a)redhat.com,
janstey(a)redhat.com, java-maint(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcoleman(a)redhat.com,
jjohnstn(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kconner(a)redhat.com,
krathod(a)redhat.com, krzysztof.daniel(a)gmail.com,
kverlaen(a)redhat.com, ldimaggi(a)redhat.com,
mat.booth(a)redhat.com, mcermak(a)redhat.com,
mizdebsk(a)redhat.com, mnovotny(a)redhat.com,
mprchlik(a)redhat.com, nstielau(a)redhat.com,
nwallace(a)redhat.com, pantinor(a)redhat.com,
patrickm(a)redhat.com, pbhattac(a)redhat.com,
pdrozd(a)redhat.com, pjindal(a)redhat.com,
rrajasek(a)redhat.com, rsynek(a)redhat.com,
rwagner(a)redhat.com, sdaley(a)redhat.com,
sd-operator-metering(a)redhat.com, sochotni(a)redhat.com,
sponnaga(a)redhat.com, sthorger(a)redhat.com,
tcunning(a)redhat.com, tflannag(a)redhat.com,
tkirby(a)redhat.com, vbobade(a)redhat.com,
vkadlcik(a)redhat.com
Target Milestone: ---
Classification: Other
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and
11.0.0 when Jetty handles a request containing multiple Accept headers with a
large number of “quality” (i.e. q) parameters, the server may enter a denial of
service (DoS) state due to high CPU usage processing those quality values,
resulting in minutes of CPU time exhausted processing those quality values.
References:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=571128https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1987678
Bug ID: 1987678
Summary: lucene: FTBFS in Fedora rawhide/f35
Product: Fedora
Version: rawhide
Status: NEW
Component: lucene
Assignee: akurtako(a)redhat.com
Reporter: releng(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com, dbhole(a)redhat.com,
dchen(a)redhat.com, eclipse-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jerboaa(a)gmail.com, krzysztof.daniel(a)gmail.com,
lef(a)fedoraproject.org, rgrunber(a)redhat.com
Blocks: 1927309 (F35FTBFS,RAWHIDEFTBFS)
Target Milestone: ---
Classification: Fedora
lucene failed to build from source in Fedora rawhide/f35
https://koji.fedoraproject.org/koji/taskinfo?taskID=72400674
For details on the mass rebuild see:
https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
Please fix lucene at your earliest convenience and set the bug's status to
ASSIGNED when you start fixing it. If the bug remains in NEW state for 8 weeks,
lucene will be orphaned. Before branching of Fedora 36,
lucene will be retired, if it still fails to build.
For more details on the FTBFS policy, please visit:
https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails…
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1927309
[Bug 1927309] Fedora 35 FTBFS Tracker
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1944888
Bug ID: 1944888
Summary: CVE-2021-21409 netty: Request smuggling via
content-length header
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: aboyko(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, akurtako(a)redhat.com,
alazarot(a)redhat.com, almorale(a)redhat.com,
andjrobins(a)gmail.com, anstephe(a)redhat.com,
aos-bugs(a)redhat.com, asoldano(a)redhat.com,
atangrin(a)redhat.com, ataylor(a)redhat.com,
avibelli(a)redhat.com, bbaranow(a)redhat.com,
bbuckingham(a)redhat.com, bcourt(a)redhat.com,
bgeorges(a)redhat.com, bkearney(a)redhat.com,
bmaxwell(a)redhat.com, bmontgom(a)redhat.com,
brian.stansberry(a)redhat.com, btotty(a)redhat.com,
cdewolf(a)redhat.com, chazlett(a)redhat.com,
clement.escoffier(a)redhat.com, dandread(a)redhat.com,
darran.lofthouse(a)redhat.com, dbecker(a)redhat.com,
dbhole(a)redhat.com, dkreling(a)redhat.com,
dosoudil(a)redhat.com, drieden(a)redhat.com,
ebaron(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eleandro(a)redhat.com, eparis(a)redhat.com,
etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org,
fjuma(a)redhat.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, gsmet(a)redhat.com,
hamadhan(a)redhat.com, hhudgeon(a)redhat.com,
ibek(a)redhat.com, iweiss(a)redhat.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcantril(a)redhat.com,
jerboaa(a)gmail.com, jjohnstn(a)redhat.com,
jjoyce(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jpallich(a)redhat.com,
jperkins(a)redhat.com, jross(a)redhat.com,
jschluet(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kaycoth(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
kwills(a)redhat.com, lef(a)fedoraproject.org,
lgao(a)redhat.com, lhh(a)redhat.com, loleary(a)redhat.com,
lpeer(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com,
mat.booth(a)gmail.com, mburns(a)redhat.com,
mkolesni(a)redhat.com, mmccune(a)redhat.com,
mnovotny(a)redhat.com, msochure(a)redhat.com,
msvehla(a)redhat.com, mszynkie(a)redhat.com,
nmoumoul(a)redhat.com, nstielau(a)redhat.com,
nwallace(a)redhat.com, pcreech(a)redhat.com,
pdrozd(a)redhat.com, peholase(a)redhat.com,
pgallagh(a)redhat.com, pjindal(a)redhat.com,
pmackay(a)redhat.com, probinso(a)redhat.com,
rchan(a)redhat.com, rgodfrey(a)redhat.com,
rgrunber(a)redhat.com, rguimara(a)redhat.com,
rjerrido(a)redhat.com, rrajasek(a)redhat.com,
rruss(a)redhat.com, rstancel(a)redhat.com,
rsvoboda(a)redhat.com, rsynek(a)redhat.com,
sbiarozk(a)redhat.com, sclewis(a)redhat.com,
scohen(a)redhat.com, sdaley(a)redhat.com,
sd-operator-metering(a)redhat.com, sdouglas(a)redhat.com,
slinaber(a)redhat.com, smaestri(a)redhat.com,
sochotni(a)redhat.com, sokeeffe(a)redhat.com,
spinder(a)redhat.com, sponnaga(a)redhat.com,
sthorger(a)redhat.com, swoodman(a)redhat.com,
tbrisker(a)redhat.com, tflannag(a)redhat.com,
theute(a)redhat.com, tom.jenkinson(a)redhat.com,
yborgess(a)redhat.com
Target Milestone: ---
Classification: Other
Netty is an open-source, asynchronous event-driven network application
framework for rapid development of maintainable high performance protocol
servers & clients. In Netty (io.netty:netty-codec-http2) before version
4.1.61.Final there is a vulnerability that enables request smuggling. The
content-length header is not correctly validated if the request only uses a
single Http2HeaderFrame with the endStream set to to true. This could lead to
request smuggling if the request is proxied to a remote peer and translated to
HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did
miss to fix this one case. This was fixed as part of 4.1.61.Final.
References:
https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0…https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1937364
Bug ID: 1937364
Summary: CVE-2021-21295 netty: possible request smuggling in
HTTP/2 due missing validation
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: aboyko(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, akurtako(a)redhat.com,
alazarot(a)redhat.com, almorale(a)redhat.com,
andjrobins(a)gmail.com, anstephe(a)redhat.com,
aos-bugs(a)redhat.com, asoldano(a)redhat.com,
atangrin(a)redhat.com, ataylor(a)redhat.com,
avibelli(a)redhat.com, bbaranow(a)redhat.com,
bbuckingham(a)redhat.com, bcourt(a)redhat.com,
bgeorges(a)redhat.com, bkearney(a)redhat.com,
bmaxwell(a)redhat.com, bmontgom(a)redhat.com,
brian.stansberry(a)redhat.com, btotty(a)redhat.com,
cdewolf(a)redhat.com, chazlett(a)redhat.com,
clement.escoffier(a)redhat.com, dandread(a)redhat.com,
darran.lofthouse(a)redhat.com, dbecker(a)redhat.com,
dbhole(a)redhat.com, decathorpe(a)gmail.com,
dkreling(a)redhat.com, dosoudil(a)redhat.com,
drieden(a)redhat.com, ebaron(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eleandro(a)redhat.com, eparis(a)redhat.com,
etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org,
fjuma(a)redhat.com, ganandan(a)redhat.com,
ggaughan(a)redhat.com, gmalinko(a)redhat.com,
gsmet(a)redhat.com, hamadhan(a)redhat.com,
hhudgeon(a)redhat.com, ibek(a)redhat.com,
iweiss(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcantril(a)redhat.com,
jerboaa(a)gmail.com, jjohnstn(a)redhat.com,
jjoyce(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jpallich(a)redhat.com,
jperkins(a)redhat.com, jross(a)redhat.com,
jschluet(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kaycoth(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
kwills(a)redhat.com, lef(a)fedoraproject.org,
lgao(a)redhat.com, lhh(a)redhat.com, loleary(a)redhat.com,
lpeer(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com,
mat.booth(a)redhat.com, mburns(a)redhat.com,
mkolesni(a)redhat.com, mmccune(a)redhat.com,
mnovotny(a)redhat.com, msochure(a)redhat.com,
msvehla(a)redhat.com, mszynkie(a)redhat.com,
nmoumoul(a)redhat.com, nstielau(a)redhat.com,
nwallace(a)redhat.com, pcreech(a)redhat.com,
pdrozd(a)redhat.com, peholase(a)redhat.com,
pgallagh(a)redhat.com, pjindal(a)redhat.com,
pmackay(a)redhat.com, probinso(a)redhat.com,
rchan(a)redhat.com, rgodfrey(a)redhat.com,
rgrunber(a)redhat.com, rguimara(a)redhat.com,
rjerrido(a)redhat.com, rrajasek(a)redhat.com,
rruss(a)redhat.com, rstancel(a)redhat.com,
rsvoboda(a)redhat.com, rsynek(a)redhat.com,
sbiarozk(a)redhat.com, sclewis(a)redhat.com,
scohen(a)redhat.com, sdaley(a)redhat.com,
sd-operator-metering(a)redhat.com, sdouglas(a)redhat.com,
slinaber(a)redhat.com, smaestri(a)redhat.com,
sochotni(a)redhat.com, sokeeffe(a)redhat.com,
spinder(a)redhat.com, sponnaga(a)redhat.com,
sthorger(a)redhat.com, swoodman(a)redhat.com,
tbrisker(a)redhat.com, tflannag(a)redhat.com,
theute(a)redhat.com, tom.jenkinson(a)redhat.com,
yborgess(a)redhat.com
Target Milestone: ---
Classification: Other
Netty is an open-source, asynchronous event-driven network application
framework for rapid development of maintainable high performance protocol
servers & clients. In Netty (io.netty:netty-codec-http2) before version
4.1.60.Final there is a vulnerability that enables request smuggling. If a
Content-Length header is present in the original HTTP/2 request, the field is
not validated by `Http2MultiplexHandler` as it is propagated up. This is fine
as long as the request is not proxied through as HTTP/1.1. If the request comes
in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects
(`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec
`and then sent up to the child channel's pipeline and proxied through a remote
peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users
may assume the content-length is validated somehow, which is not the case. If
the request is forwarded to a backend channel that is a HTTP/1.1 connection,
the Content-Length now has meaning and needs to be checked. An attacker can
smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1.
For an example attack refer to the linked GitHub Advisory. Users are only
affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is
used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1
objects, and these HTTP/1.1 objects are forwarded to another remote peer. This
has been patched in 4.1.60.Final As a workaround, the user can do the
validation by themselves by implementing a custom `ChannelInboundHandler` that
is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
Reference:
https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
Upstream patch:
https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2095426
Bug ID: 2095426
Summary: [RFE] jetty use systemd-sysusers
Product: Fedora
Version: 36
Status: NEW
Component: jetty
Assignee: mat.booth(a)gmail.com
Reporter: riehecky(a)fnal.gov
QA Contact: extras-qa(a)fedoraproject.org
CC: eclipse-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jjohnstn(a)redhat.com, krzysztof.daniel(a)gmail.com,
mat.booth(a)gmail.com, mizdebsk(a)redhat.com
Target Milestone: ---
Classification: Fedora
Description of problem:
jetty is using static user add scripts
Version-Release number of selected component (if applicable):
jetty-9.4.38-2
How reproducible:
100%
Steps to Reproduce:
1.review %pre
2.
3.
Actual results:
%pre
# Add the "jetty" user and group
getent group %username >/dev/null || groupadd -f -g %jtuid -r %username
if ! getent passwd %username >/dev/null ; then
if ! getent passwd %jtuid >/dev/null ; then
useradd -r -u %jtuid -g %username -d %homedir -s /sbin/nologin \
-c "Jetty web server" %username
else
useradd -r -g %username -d %homedir -s /sbin/nologin \
-c "Jetty web server" %username
fi
fi
exit 0
Expected results:
use of system-sysusers
Additional info:
https://www.freedesktop.org/software/systemd/man/systemd-sysusers.htmlhttps://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2095426
https://bugzilla.redhat.com/show_bug.cgi?id=1985223
Bug ID: 1985223
Summary: CVE-2021-34429 jetty: crafted URIs allow bypassing
security constraints
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: mrehak(a)redhat.com
CC: abenaiss(a)redhat.com, aileenc(a)redhat.com,
aos-bugs(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, dbecker(a)redhat.com,
drieden(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eparis(a)redhat.com, eric.wittmann(a)redhat.com,
ggaughan(a)redhat.com, gmalinko(a)redhat.com,
hbraun(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jjohnstn(a)redhat.com,
jjoyce(a)redhat.com, jkang(a)redhat.com,
jnethert(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jross(a)redhat.com,
jschluet(a)redhat.com, jwon(a)redhat.com,
krzysztof.daniel(a)gmail.com, lhh(a)redhat.com,
lpeer(a)redhat.com, mat.booth(a)gmail.com,
mburns(a)redhat.com, mizdebsk(a)redhat.com,
mkolesni(a)redhat.com, nstielau(a)redhat.com,
pantinor(a)redhat.com, pbhattac(a)redhat.com,
pjindal(a)redhat.com, sclewis(a)redhat.com,
scohen(a)redhat.com, sd-operator-metering(a)redhat.com,
slinaber(a)redhat.com, sochotni(a)redhat.com,
sponnaga(a)redhat.com, swoodman(a)redhat.com,
tflannag(a)redhat.com, vbobade(a)redhat.com
Target Milestone: ---
Classification: Other
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs
can be crafted using some encoded characters to access the content of the
WEB-INF directory and/or bypass some security constraints.
Upstream Issue:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1985225
Bug ID: 1985225
Summary: CVE-2021-34429 jetty: crafted URIs allow bypassing
security constraints [fedora-all]
Product: Fedora
Version: 34
Status: NEW
Component: jetty
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: mat.booth(a)gmail.com
Reporter: mrehak(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: eclipse-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jjohnstn(a)redhat.com, krzysztof.daniel(a)gmail.com,
mat.booth(a)gmail.com, mizdebsk(a)redhat.com,
sochotni(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1974891
Bug ID: 1974891
Summary: CVE-2021-34428 jetty: SessionListener can prevent a
session from being invalidated breaking logout
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: abenaiss(a)redhat.com, aileenc(a)redhat.com,
aos-bugs(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, dbecker(a)redhat.com,
drieden(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eparis(a)redhat.com, eric.wittmann(a)redhat.com,
ggaughan(a)redhat.com, gmalinko(a)redhat.com,
hbraun(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jjohnstn(a)redhat.com,
jjoyce(a)redhat.com, jkang(a)redhat.com,
jnethert(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jross(a)redhat.com,
jschluet(a)redhat.com, jwon(a)redhat.com,
krzysztof.daniel(a)gmail.com, lhh(a)redhat.com,
lpeer(a)redhat.com, mat.booth(a)gmail.com,
mburns(a)redhat.com, mizdebsk(a)redhat.com,
mkolesni(a)redhat.com, nstielau(a)redhat.com,
pantinor(a)redhat.com, pbhattac(a)redhat.com,
sclewis(a)redhat.com, scohen(a)redhat.com,
sd-operator-metering(a)redhat.com, slinaber(a)redhat.com,
sochotni(a)redhat.com, sponnaga(a)redhat.com,
swoodman(a)redhat.com, tflannag(a)redhat.com,
vbobade(a)redhat.com
Target Milestone: ---
Classification: Other
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is
thrown from the SessionListener#sessionDestroyed() method, then the session ID
is not invalidated in the session ID manager. On deployments with clustered
sessions and multiple contexts this can result in a session not being
invalidated. This can result in an application used on a shared computer being
left logged in.
Reference:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1974892
Bug ID: 1974892
Summary: CVE-2021-34428 jetty: SessionListener can prevent a
session from being invalidated breaking logout
[fedora-all]
Product: Fedora
Version: 34
Status: NEW
Component: jetty
Keywords: Security, SecurityTracking
Severity: low
Priority: low
Assignee: mat.booth(a)gmail.com
Reporter: gsuckevi(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: eclipse-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jjohnstn(a)redhat.com, krzysztof.daniel(a)gmail.com,
mat.booth(a)gmail.com, mizdebsk(a)redhat.com,
sochotni(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.