[Bug 1974891] New: CVE-2021-34428 jetty: SessionListener can prevent a session from being invalidated breaking logout
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1974891
Bug ID: 1974891
Summary: CVE-2021-34428 jetty: SessionListener can prevent a
session from being invalidated breaking logout
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: abenaiss(a)redhat.com, aileenc(a)redhat.com,
aos-bugs(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, dbecker(a)redhat.com,
drieden(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eparis(a)redhat.com, eric.wittmann(a)redhat.com,
ggaughan(a)redhat.com, gmalinko(a)redhat.com,
hbraun(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jjohnstn(a)redhat.com,
jjoyce(a)redhat.com, jkang(a)redhat.com,
jnethert(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jross(a)redhat.com,
jschluet(a)redhat.com, jwon(a)redhat.com,
krzysztof.daniel(a)gmail.com, lhh(a)redhat.com,
lpeer(a)redhat.com, mat.booth(a)gmail.com,
mburns(a)redhat.com, mizdebsk(a)redhat.com,
mkolesni(a)redhat.com, nstielau(a)redhat.com,
pantinor(a)redhat.com, pbhattac(a)redhat.com,
sclewis(a)redhat.com, scohen(a)redhat.com,
sd-operator-metering(a)redhat.com, slinaber(a)redhat.com,
sochotni(a)redhat.com, sponnaga(a)redhat.com,
swoodman(a)redhat.com, tflannag(a)redhat.com,
vbobade(a)redhat.com
Target Milestone: ---
Classification: Other
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is
thrown from the SessionListener#sessionDestroyed() method, then the session ID
is not invalidated in the session ID manager. On deployments with clustered
sessions and multiple contexts this can result in a session not being
invalidated. This can result in an application used on a shared computer being
left logged in.
Reference:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vx...
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years
[Bug 1974892] New: CVE-2021-34428 jetty: SessionListener can prevent a session from being invalidated breaking logout [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1974892
Bug ID: 1974892
Summary: CVE-2021-34428 jetty: SessionListener can prevent a
session from being invalidated breaking logout
[fedora-all]
Product: Fedora
Version: 34
Status: NEW
Component: jetty
Keywords: Security, SecurityTracking
Severity: low
Priority: low
Assignee: mat.booth(a)gmail.com
Reporter: gsuckevi(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: eclipse-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jjohnstn(a)redhat.com, krzysztof.daniel(a)gmail.com,
mat.booth(a)gmail.com, mizdebsk(a)redhat.com,
sochotni(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years
[Bug 1973416] New: CVE-2021-33813 javapackages-tools: jdom: XXE allows attackers to cause a DoS via a crafted HTTP request [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1973416
Bug ID: 1973416
Summary: CVE-2021-33813 javapackages-tools: jdom: XXE allows
attackers to cause a DoS via a crafted HTTP request
[fedora-all]
Product: Fedora
Version: 34
Status: NEW
Component: javapackages-tools
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: mizdebsk(a)redhat.com
Reporter: gsuckevi(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mat.booth(a)gmail.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com, sochotni(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years
[Bug 1971017] New: CVE-2021-28169 jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1971017
Bug ID: 1971017
Summary: CVE-2021-28169 jetty: requests to the ConcatServlet
and WelcomeFilter are able to access protected
resources within the WEB-INF directory [fedora-all]
Product: Fedora
Version: 34
Status: NEW
Component: jetty
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: mat.booth(a)gmail.com
Reporter: gsuckevi(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: eclipse-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jjohnstn(a)redhat.com, krzysztof.daniel(a)gmail.com,
mat.booth(a)gmail.com, mizdebsk(a)redhat.com,
sochotni(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years