Fedora has issued an advisory on July 7: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QULQK5DU63QRYEWLVC6QZWASFQFSPFMD/ The issue is fixed upstream in the following versions: jetty-9.4.6.v20170531 jetty-9.3.20.v20170531 jetty-9.2.22.v20170606 Mageia 5 is also affected.
CC: (none) => geiger.david68210Whiteboard: (none) => MGA6TOO, MGA5TOO
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOVersion: Cauldron => 6
pushed in updates_testing for mageia 6 src.rpm: jetty-9.4.6-1.v20170531.1.mga6
It looks like the other two SRPMS imported were part of the update too. jetty-test-helper-3.1-4.mga6 jetty-test-helper-javadoc-3.1-4.mga6 jetty-alpn-8.1.11-3.v20170118.1.mga6 jetty-alpn-javadoc-8.1.11-3.v20170118.1.mga6 jetty-9.4.6-1.v20170531.1.mga6 jetty-client-9.4.6-1.v20170531.1.mga6 jetty-continuation-9.4.6-1.v20170531.1.mga6 jetty-http-9.4.6-1.v20170531.1.mga6 jetty-http-spi-9.4.6-1.v20170531.1.mga6 jetty-io-9.4.6-1.v20170531.1.mga6 jetty-jaas-9.4.6-1.v20170531.1.mga6 jetty-jsp-9.4.6-1.v20170531.1.mga6 jetty-security-9.4.6-1.v20170531.1.mga6 jetty-server-9.4.6-1.v20170531.1.mga6 jetty-servlet-9.4.6-1.v20170531.1.mga6 jetty-util-9.4.6-1.v20170531.1.mga6 jetty-webapp-9.4.6-1.v20170531.1.mga6 jetty-jmx-9.4.6-1.v20170531.1.mga6 jetty-xml-9.4.6-1.v20170531.1.mga6 jetty-project-9.4.6-1.v20170531.1.mga6 jetty-deploy-9.4.6-1.v20170531.1.mga6 jetty-annotations-9.4.6-1.v20170531.1.mga6 jetty-ant-9.4.6-1.v20170531.1.mga6 jetty-cdi-9.4.6-1.v20170531.1.mga6 jetty-fcgi-client-9.4.6-1.v20170531.1.mga6 jetty-fcgi-server-9.4.6-1.v20170531.1.mga6 jetty-infinispan-9.4.6-1.v20170531.1.mga6 jetty-jaspi-9.4.6-1.v20170531.1.mga6 jetty-jndi-9.4.6-1.v20170531.1.mga6 jetty-jspc-maven-plugin-9.4.6-1.v20170531.1.mga6 jetty-maven-plugin-9.4.6-1.v20170531.1.mga6 jetty-plus-9.4.6-1.v20170531.1.mga6 jetty-proxy-9.4.6-1.v20170531.1.mga6 jetty-rewrite-9.4.6-1.v20170531.1.mga6 jetty-servlets-9.4.6-1.v20170531.1.mga6 jetty-spring-9.4.6-1.v20170531.1.mga6 jetty-start-9.4.6-1.v20170531.1.mga6 jetty-unixsocket-9.4.6-1.v20170531.1.mga6 jetty-util-ajax-9.4.6-1.v20170531.1.mga6 jetty-websocket-api-9.4.6-1.v20170531.1.mga6 jetty-websocket-client-9.4.6-1.v20170531.1.mga6 jetty-websocket-common-9.4.6-1.v20170531.1.mga6 jetty-websocket-server-9.4.6-1.v20170531.1.mga6 jetty-websocket-servlet-9.4.6-1.v20170531.1.mga6 jetty-javax-websocket-client-impl-9.4.6-1.v20170531.1.mga6 jetty-javax-websocket-server-impl-9.4.6-1.v20170531.1.mga6 jetty-nosql-9.4.6-1.v20170531.1.mga6 jetty-httpservice-9.4.6-1.v20170531.1.mga6 jetty-osgi-boot-9.4.6-1.v20170531.1.mga6 jetty-osgi-boot-warurl-9.4.6-1.v20170531.1.mga6 jetty-osgi-boot-jsp-9.4.6-1.v20170531.1.mga6 jetty-osgi-alpn-9.4.6-1.v20170531.1.mga6 jetty-quickstart-9.4.6-1.v20170531.1.mga6 jetty-alpn-client-9.4.6-1.v20170531.1.mga6 jetty-alpn-server-9.4.6-1.v20170531.1.mga6 jetty-http2-client-9.4.6-1.v20170531.1.mga6 jetty-http2-common-9.4.6-1.v20170531.1.mga6 jetty-http2-hpack-9.4.6-1.v20170531.1.mga6 jetty-http2-http-client-transport-9.4.6-1.v20170531.1.mga6 jetty-http2-server-9.4.6-1.v20170531.1.mga6 jetty-jstl-9.4.6-1.v20170531.1.mga6 jetty-javadoc-9.4.6-1.v20170531.1.mga6 from SRPMS: jetty-test-helper-3.1-4.mga6.src.rpm jetty-alpn-8.1.11-3.v20170118.1.mga6.src.rpm jetty-9.4.6-1.v20170531.1.mga6.src.rpm
sorry yes :) i forgot to mention them.
Blocks: (none) => 21533
Package list in Comment 2. Advisory: ======================== Updated jetty packages fix security vulnerability: Jetty is prone to a timing channel attack in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords (CVE-2017-9735). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9735 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QULQK5DU63QRYEWLVC6QZWASFQFSPFMD/
Assignee: mageia => qa-bugsSeverity: normal => majorCC: (none) => mageiaWhiteboard: MGA5TOO => (none)
mga6 x86_64 Jetty is a Java package which provides a web server and helps run web applications if the relevant modules are istalled. Installed the jetty packages prior to updating. Checking back through the links there appears to be nothing useful regarding confirmation of the effectiveness of the patches. There is an instruction for compiling some component with ASAN support and running that but it is beyond QA's remit. Some information on how to use Jetty can be found at: https://www.eclipse.org/jetty/documentation/9.4.6.v20170531/quickstart-running-jetty.html After installation, set up the pointers to the base and home directories for Jetty - e.g. $ export JETTY_HOME=/usr/share/jetty $ export JETTY_BASE=/home/lcl/qa/jetty Jetty tends to be a bit verbose, so the responses to the following commands are not illustrated. $ java -jar $JETTY_HOME/start.jar --create-startd By default jetty uses port 8080 but this can be altered: $ java -jar $JETTY_HOME/start.jar jetty.http.port=8081 To show available modules: $ java -jar /usr/share/jetty/start.jar --list-modules Show configurations of the Java and Jetty environments. $ java -jar /usr/share/jetty/start.jar --list-config $ cp $JETTY_HOME/demo-base/webapps/async-rest.war webapps/ROOT.war That will fail because demo-base/webapps does not have much in it. If you have the requisite modules installed you can do things like this: $ java -jar $JETTY_HOME/start.jar --add-to-start=https,http2 ---------------------------------------------------------------------------------------------- An attempt to install the updates brought up the message: "The following packages have to be removed for others to be upgraded: jetty-9.4.0-0.2.M0.2.mga6.noarch (due to unsatisfied jetty-websocket-common == 9.4.0-0.2.M0.2.mga6) jetty-monitor-9.4.0-0.2.M0.2.mga6.noarch (due to unsatisfied mvn(org.eclipse.jetty:jetty-io) == 9.4.0.M0)" Said yes to that, then: Sorry, the following package cannot be selected: - jetty-9.4.6-1.v20170531.1.mga6.noarch (due to unsatisfied systemd-sysv[*]) Haven't a clue what that is about. $ locate systemd-sysv /usr/lib/systemd/systemd-sysv-install /usr/lib/systemd/system-generators/systemd-sysv-generator /usr/share/man/man8/systemd-sysv-generator.8.xz
CC: (none) => tarazed25
Whiteboard: (none) => feedback
just fixed this require. Should be OK on the next rpm
Whiteboard: feedback => (none)
New package list: jetty-test-helper-3.1-4.mga6 jetty-test-helper-javadoc-3.1-4.mga6 jetty-alpn-8.1.11-3.v20170118.1.mga6 jetty-alpn-javadoc-8.1.11-3.v20170118.1.mga6 jetty-9.4.6-1.v20170531.1.1.mga6 jetty-client-9.4.6-1.v20170531.1.1.mga6 jetty-continuation-9.4.6-1.v20170531.1.1.mga6 jetty-http-9.4.6-1.v20170531.1.1.mga6 jetty-http-spi-9.4.6-1.v20170531.1.1.mga6 jetty-io-9.4.6-1.v20170531.1.1.mga6 jetty-jaas-9.4.6-1.v20170531.1.1.mga6 jetty-jsp-9.4.6-1.v20170531.1.1.mga6 jetty-security-9.4.6-1.v20170531.1.1.mga6 jetty-server-9.4.6-1.v20170531.1.1.mga6 jetty-servlet-9.4.6-1.v20170531.1.1.mga6 jetty-util-9.4.6-1.v20170531.1.1.mga6 jetty-webapp-9.4.6-1.v20170531.1.1.mga6 jetty-jmx-9.4.6-1.v20170531.1.1.mga6 jetty-xml-9.4.6-1.v20170531.1.1.mga6 jetty-project-9.4.6-1.v20170531.1.1.mga6 jetty-deploy-9.4.6-1.v20170531.1.1.mga6 jetty-annotations-9.4.6-1.v20170531.1.1.mga6 jetty-ant-9.4.6-1.v20170531.1.1.mga6 jetty-cdi-9.4.6-1.v20170531.1.1.mga6 jetty-fcgi-client-9.4.6-1.v20170531.1.1.mga6 jetty-fcgi-server-9.4.6-1.v20170531.1.1.mga6 jetty-infinispan-9.4.6-1.v20170531.1.1.mga6 jetty-jaspi-9.4.6-1.v20170531.1.1.mga6 jetty-jndi-9.4.6-1.v20170531.1.1.mga6 jetty-jspc-maven-plugin-9.4.6-1.v20170531.1.1.mga6 jetty-maven-plugin-9.4.6-1.v20170531.1.1.mga6 jetty-plus-9.4.6-1.v20170531.1.1.mga6 jetty-proxy-9.4.6-1.v20170531.1.1.mga6 jetty-rewrite-9.4.6-1.v20170531.1.1.mga6 jetty-servlets-9.4.6-1.v20170531.1.1.mga6 jetty-spring-9.4.6-1.v20170531.1.1.mga6 jetty-start-9.4.6-1.v20170531.1.1.mga6 jetty-unixsocket-9.4.6-1.v20170531.1.1.mga6 jetty-util-ajax-9.4.6-1.v20170531.1.1.mga6 jetty-websocket-api-9.4.6-1.v20170531.1.1.mga6 jetty-websocket-client-9.4.6-1.v20170531.1.1.mga6 jetty-websocket-common-9.4.6-1.v20170531.1.1.mga6 jetty-websocket-server-9.4.6-1.v20170531.1.1.mga6 jetty-websocket-servlet-9.4.6-1.v20170531.1.1.mga6 jetty-javax-websocket-client-impl-9.4.6-1.v20170531.1.1.mga6 jetty-javax-websocket-server-impl-9.4.6-1.v20170531.1.1.mga6 jetty-nosql-9.4.6-1.v20170531.1.1.mga6 jetty-httpservice-9.4.6-1.v20170531.1.1.mga6 jetty-osgi-boot-9.4.6-1.v20170531.1.1.mga6 jetty-osgi-boot-warurl-9.4.6-1.v20170531.1.1.mga6 jetty-osgi-boot-jsp-9.4.6-1.v20170531.1.1.mga6 jetty-osgi-alpn-9.4.6-1.v20170531.1.1.mga6 jetty-quickstart-9.4.6-1.v20170531.1.1.mga6 jetty-alpn-client-9.4.6-1.v20170531.1.1.mga6 jetty-alpn-server-9.4.6-1.v20170531.1.1.mga6 jetty-http2-client-9.4.6-1.v20170531.1.1.mga6 jetty-http2-common-9.4.6-1.v20170531.1.1.mga6 jetty-http2-hpack-9.4.6-1.v20170531.1.1.mga6 jetty-http2-http-client-transport-9.4.6-1.v20170531.1.1.mga6 jetty-http2-server-9.4.6-1.v20170531.1.1.mga6 jetty-jstl-9.4.6-1.v20170531.1.1.mga6 jetty-javadoc-9.4.6-1.v20170531.1.1.mga6 from SRPMS: jetty-test-helper-3.1-4.mga6.src.rpm jetty-alpn-8.1.11-3.v20170118.1.mga6.src.rpm jetty-9.4.6-1.v20170531.1.1.mga6.src.rpm
Better this time. $ java -jar $JETTY_HOME/start.jar --create-startd MKDIR : ${jetty.base}/start.d INFO : Base directory was modified $ java -jar $JETTY_HOME/start.jar jetty.http.port=8081 2017-08-15 21:57:59.497:INFO::main: Logging initialized @315ms to org.eclipse.jetty.util.log.StdErrLog 2017-08-15 21:57:59.673:INFO:oejs.Server:main: jetty-9.4.6.v20170531 2017-08-15 21:57:59.697:INFO:oejdp.ScanningAppProvider:main: Deployment monitor [file:///home/lcl/qa/jetty/webapps/] at interval 1 2017-08-15 21:57:59.709:INFO:oejs.AbstractConnector:main: Started ServerConnector@7823a2f9{HTTP/1.1,[http/1.1]}{0.0.0.0:8081} 2017-08-15 21:57:59.710:INFO:oejs.Server:main: Started @528ms <continues running> To show available modules: $ java -jar /usr/share/jetty/start.jar --list-modules Works fine - lots of information. .............................. Enabled Modules: ================ 0) server ${jetty.base}/start.d/start.ini 1) security transitive provider of security for webapp 2) servlet transitive provider of servlet for webapp 3) webapp transitive provider of webapp for deploy init template available with --add-to-start=webapp 4) deploy ${jetty.base}/start.d/start.ini 5) http ${jetty.base}/start.d/start.ini Show configurations of the Java and Jetty environments. $ java -jar /usr/share/jetty/start.jar --list-config ,,,,,,,,,,,,,,,,,,,,,,,,,,, Jetty Active XMLs: ------------------ /etc/jetty/jetty.xml /etc/jetty/jetty-webapp.xml /etc/jetty/jetty-deploy.xml /etc/jetty/jetty-http.xml This looks like a clean install and the configuration, etc. looks OK.
Whiteboard: (none) => MGA6-64-OK
@Len : Thanks for your double testing & eventual 64-bit OK. Validating the update; advisory to follow.
Keywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
Whiteboard: MGA6-64-OK => advisory MGA6-64-OK
Update ID assignment failed Checking for QA validation keyword⦠â Checking dependent bugs⦠â (None found) Checking SRPMs⦠â (6/core/jetty-9.4.6-1.v20170531.1.mga6) â â 'validated_update' keyword reset.
Keywords: validated_update => (none)
I missed the new packages list in comment 7, the advisory needs to be edited in SVN.
Keywords: (none) => validated_updateWhiteboard: advisory MGA6-64-OK => MGA6-64-OK
Advisory 21202.adv changed from : jetty-9.4.6-1.v20170531.1.mga6 to : jetty-9.4.6-1.v20170531.1.1.mga6 Other two SRPMs stay the same.
Whiteboard: MGA6-64-OK => MGA6-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0277.html
Status: NEW => RESOLVEDResolution: (none) => FIXED