Bug 27649 - jetty new security issues CVE-2019-1024[17] and CVE-2020-2721[68]
Summary: jetty new security issues CVE-2019-1024[17] and CVE-2020-2721[68]
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: Java Stack Maintainers
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
: 27921 (view as bug list)
Depends on: 29034
Blocks:
  Show dependency treegraph
 
Reported: 2020-11-23 16:21 CET by David Walser
Modified: 2021-07-01 18:24 CEST (History)
0 users

See Also:
Source RPM: jetty-9.4.14-1.v20181114.1.mga7.src.rpm, jetty8-8.1.17-6.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 9.4.35, jetty8 also needs to be patched


Attachments

Description David Walser 2020-11-23 16:21:43 CET
RedHat has issued an advisory today (November 23):
https://access.redhat.com/errata/RHSA-2020:5168

Upstream advisory:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6

RedHat bug has link to upstream commit that fixed the issue (needed for jetty8):
https://bugzilla.redhat.com/show_bug.cgi?id=1891132

The issue is fixed upstream in 9.4.33 (already in Cauldron).
David Walser 2020-12-24 16:35:54 CET

Depends on: (none) => 27921

Comment 1 David Walser 2020-12-26 16:39:55 CET
SUSE has issued an advisory on December 22:
https://lists.suse.com/pipermail/sle-security-updates/2020-December/008114.html

The issue is fixed upstream in 9.4.35.

Upstream advisory:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-86wm-rrjm-8wh8

I don't think this one affects jetty8.

Summary: jetty new security issue CVE-2020-27216 => jetty new security issues CVE-2020-2721[68]

Comment 2 David Walser 2020-12-26 16:40:14 CET
*** Bug 27921 has been marked as a duplicate of this bug. ***

Depends on: 27921 => (none)

David Walser 2020-12-28 19:04:04 CET

Status comment: (none) => Fixed upstream in 9.4.35, jetty8 also needs to be patched

Comment 3 David Walser 2021-01-04 17:35:11 CET
openSUSE has issued an advisory for CVE-2020-27218 today (January 4):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/V4MZVOK35CIZLLLRF4FF6YZSQWFZO7UA/
Comment 4 David Walser 2021-05-28 00:53:28 CEST
Debian-LTS has issued an advisory on May 14:
https://www.debian.org/lts/security/2021/dla-2661

These issues were fixed upstream in 9.4.16 and 9.4.17.

Summary: jetty new security issues CVE-2020-2721[68] => jetty new security issues CVE-2019-1024[17] and CVE-2020-2721[68]

David Walser 2021-05-30 00:19:16 CEST

Depends on: (none) => 29034

Comment 5 David Walser 2021-07-01 18:24:25 CEST
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Resolution: (none) => OLD
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.