| Summary: | jetty missing update for security issue CVE-2011-4461 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | major | ||
| Priority: | Normal | CC: | dmorganec, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/481977/ | ||
| Whiteboard: | has_procedure mga2-32-OK mga2-64-OK | ||
| Source RPM: | jetty-6.1.26-14.mga2.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2012-12-21 17:28:22 CET
available on testing Thanks D Morgan! Advisory: ======================== Updated jetty packages fix security vulnerability: Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters (CVE-2011-4461). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4461 http://lists.fedoraproject.org/pipermail/package-announce/2012-March/076411.html ======================== Updated packages in core/updates_testing: ======================== jetty-6.1.26-14.1.mga2 jetty-maven-plugins-6.1.26-14.1.mga2 jetty-javadoc-6.1.26-14.1.mga2 jetty-manual-6.1.26-14.1.mga2 from jetty-6.1.26-14.1.mga2.src.rpm CC:
(none) =>
dmorganec No PoC that I can find. This looks to be our first update for Jetty so looking to find some documentation for testing. Some info here http://www.eclipse.org/jetty/documentation/current/quickstart-running-jetty.html Before ------ # cd /usr/share/jetty # java -jar start.jar Browsing to http://localhost:8080 and clicking some of the links seems to work well but starting the jetty service with 'service jetty start' doesn't seem to start any webserver. When started as a service it starts on port 8088 so http://localhost:8088 instead of 8080 which seems to be the default jetty port. Another one affected by bug 2317 so will need some links when pushed. ---------------------------------------- Running checks for "jetty" using media "Core Release" and "Core Updates Testing". ---------------------------------------- Mageia release 2 (Official) for i586 Latest version found in "Core Release" is jetty-6.1.26-14.mga2 Latest version found in "Core Updates Testing" is jetty-6.1.26-14.1.mga2 ---------------------------------------- The following packages will require linking: classpathx-mail-1.1.1-10.mga1 (Core Release) java-1.5.0-gcj-1.5.0.0-17.1.24.mga2 (Core Release) java-1.5.0-gcj-devel-1.5.0.0-17.1.24.mga2 (Core Release) javamail-1.4.3-7.mga1 (Core Release) ---------------------------------------- Depends on:
(none) =>
2317 Testing complete mga2 32 Just clicking on the example links found at http://localhost:8088 once the jetty service is started Whiteboard:
(none) =>
has_procedure mga2-32-OK Created bug 8592 for the 8088/8080 thing, not sure if it on purpose or by accident. Patch added to Mageia 1 SVN. Also fixed creation of jetty user and added LSB headers to the init script. Removing bug 2317. It does not apply here. I had an old depcheck version on my 32 bit laptop which didn't parse package choices properly. Depends on:
2317 =>
(none) Testing complete mga2 64 Bug 8599 created for a potential urpmi bug noticed whilst testing Validating Advisory & SRPM in comment 2 Could sysadmin please push from core/updates_testing to core/updates Thanks! Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0002 Status:
NEW =>
RESOLVED |