Fedora has issued an advisory on April 30: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GGNKXBNRRCZTGGXPIX3VBWCF2SAM3DWS/ The only CVE explicitly listed is CVE-2021-28163, fixed in 9.4.39. There are more, here are the upstream advisories: https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7 https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w CVE-2021-2816[34] only affect Mageia 8. The others also affect Mageia 7.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Fixed upstream in 9.4.39Blocks: (none) => 27649
Debian-LTS has issued an advisory on June 17: https://www.debian.org/lts/security/2021/dla-2688 The issue is fixed upstream in 9.4.41: https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq Mageia 7 and Mageia 8 are also affected.
Version: 8 => CauldronStatus comment: Fixed upstream in 9.4.39 => Fixed upstream in 9.4.41Summary: jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5] => jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5,9]Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO
SUSE has issued an advisory for this on June 17: https://lists.suse.com/pipermail/sle-security-updates/2021-June/009033.html They updated to 9.4.42.
Removing Mageia 7 from whiteboard due to EOL: https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/
Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO
openSUSE has issued an advisory for this on July 11: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U4KKN3NUA6VAZ6XTFLI3KB3IHAPVD46L/
cauldron is fixed. I update mga8 to version 9.4.42. A test to do is to see if eclipse still starts with new jetty src: - jetty-9.4.42-1.mga8
CC: (none) => mageiaVersion: Cauldron => 8Status comment: Fixed upstream in 9.4.41 => (none)Whiteboard: MGA8TOO => (none)Assignee: java => qa-bugs
jetty-9.4.42-1.mga8 jetty-client-9.4.42-1.mga8 jetty-util-9.4.42-1.mga8 jetty-server-9.4.42-1.mga8 jetty-http-9.4.42-1.mga8 jetty-io-9.4.42-1.mga8 jetty-servlet-9.4.42-1.mga8 jetty-webapp-9.4.42-1.mga8 jetty-xml-9.4.42-1.mga8 jetty-security-9.4.42-1.mga8 jetty-util-ajax-9.4.42-1.mga8 jetty-jmx-9.4.42-1.mga8 jetty-jaas-9.4.42-1.mga8 jetty-continuation-9.4.42-1.mga8 jetty-javadoc-9.4.42-1.mga8 from jetty-9.4.42-1.mga8.src.rpm
Advisory: ======================== Updated jetty packages fix security vulnerabilities: In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values (CVE-2020-27223). In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory (CVE-2021-28163). In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application (CVE-2021-28164). In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame (CVE-2021-28165). For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application (CVE-2021-28169). References: - https://bugs.mageia.org/show_bug.cgi?id=29034 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27223 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28163 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28164 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28165 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28169 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GGNKXBNRRCZTGGXPIX3VBWCF2SAM3DWS/ - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U4KKN3NUA6VAZ6XTFLI3KB3IHAPVD46L/ - https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7 - https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq - https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w - https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq - https://www.debian.org/lts/security/2021/dla-2688 ======================== Updated packages in core/updates_testing: ======================== jetty-9.4.42-1.mga8 jetty-client-9.4.42-1.mga8 jetty-util-9.4.42-1.mga8 jetty-server-9.4.42-1.mga8 jetty-http-9.4.42-1.mga8 jetty-io-9.4.42-1.mga8 jetty-servlet-9.4.42-1.mga8 jetty-webapp-9.4.42-1.mga8 jetty-xml-9.4.42-1.mga8 jetty-security-9.4.42-1.mga8 jetty-util-ajax-9.4.42-1.mga8 jetty-jmx-9.4.42-1.mga8 jetty-jaas-9.4.42-1.mga8 jetty-continuation-9.4.42-1.mga8 jetty-javadoc-9.4.42-1.mga8 from jetty-9.4.42-1.mga8.src.rpm
CC: (none) => ouaurelien
MGA8-64 Plasma on Lenovo B50 No apparent installation issues. Tried to follow bug 21202 Len's tests, but .... $ export JETTY_HOME=/usr/share/jetty $ export JETTY_BASE=/home/tester8/Documenten/jetty/ $ java -jar $JETTY_HOME/start.jar --create-startd Error: Unable to access jarfile /usr/share/jetty/start.jar Checked and found no start.jar, checked MCC and package jetty shows:no files found. That doesn't seem normal to me.
CC: (none) => herman.viaene
I can confirm Herman's findings. No /usr/share/jetty directory but there is a /usr/share/java/jetty directory without start.jar. start.jar does not exist. There are client and server jars however so maybe the startup process has changed. Shall look into it. This link was last updated about a year ago https://zetcode.com/java/jetty/introduction/ and implies that the start.jar resource file should be available as part of the tarball. This is what should be in JETTY_HOME according to the docs: $ ls -F bin/ lib/ modules/ resources/ start.jar demo-base/ license-eplv10-aslv20.html notice.html start.d/ VERSION.txt etc/ logs/ README.TXT start.ini webapps/ For jetty the licences can be found here under /usr/share/licenses: jetty-javadoc: LICENSE LICENSE-MIT NOTICE.txt jetty-util: LICENSE LICENSE-MIT NOTICE.txt Official reference documentation at https://www.eclipse.org/jetty/documentation.php. Apparently jetty has reached version 11 but there is still documentation for version 9. That also talks about starting things off with the start.jar file so it does seem that we should have it. Maybe Nicolas can throw some light on this.
CC: (none) => tarazed25Keywords: (none) => feedback
Debian has issued an advisory for this on August 4: https://www.debian.org/security/2021/dsa-4949 It also lists CVE-2021-34428, fixed upstream in 9.4.41, also fixed in this update: https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6
Summary: jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5,9] => jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5,9], CVE-2021-34428
SUSE has issued an advisory on August 25: https://lists.suse.com/pipermail/sle-security-updates/2021-August/009354.html The issue is fixed upstream in 9.4.43: https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm
Keywords: feedback => (none)Whiteboard: (none) => MGA8TOOAssignee: qa-bugs => javaVersion: 8 => CauldronStatus comment: (none) => Fixed upstream in 9.4.43Summary: jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5,9], CVE-2021-34428 => jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5,9], CVE-2021-3442[89]
(In reply to David Walser from comment #11) > SUSE has issued an advisory on August 25: > https://lists.suse.com/pipermail/sle-security-updates/2021-August/009354.html > > The issue is fixed upstream in 9.4.43: > https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w- > 65vm openSUSE has issued an advisory for this on August 25: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3BXMLXWW5ACU3IDNEEUVRZ3WYWHNGPZM/
Updated to 9.4.43 by Nicolas. jetty-client-9.4.43-1.mga8 jetty-util-9.4.43-1.mga8 jetty-server-9.4.43-1.mga8 jetty-http-9.4.43-1.mga8 jetty-io-9.4.43-1.mga8 jetty-servlet-9.4.43-1.mga8 jetty-webapp-9.4.43-1.mga8 jetty-xml-9.4.43-1.mga8 jetty-security-9.4.43-1.mga8 jetty-util-ajax-9.4.43-1.mga8 jetty-jmx-9.4.43-1.mga8 jetty-jaas-9.4.43-1.mga8 jetty-continuation-9.4.43-1.mga8 jetty-9.4.43-1.mga8 jetty-javadoc-9.4.43-1.mga8 from jetty-9.4.43-1.mga8.src.rpm
Status comment: Fixed upstream in 9.4.43 => (none)Version: Cauldron => 8Whiteboard: MGA8TOO => (none)Assignee: java => qa-bugs
Installed the latest 9.4.43-1, but still the same problem as in Comment 8. Did some checks: package jetty is empty in the other packkages, the path seems to be /usr/share/java/jetty i.s.o. /usr/share/jetty there is nowhere a start.jar.
@Herman: With the pre-update jetty Eclipse does start up from the menus. Look in Development -> Development Environments.
mga8, x64 Updated all the packages and launched Eclipse from the system menus and hit Launch when the gui appeared. Tried the various help options but did not get any response so presumably there is some prior jetty configuration required and possible a server and client running. Anyway, it starts up cleanly.
Following comment 16, discovered that java path had not been updated since Mageia 6. Amended that to /usr/lib/jvm/java-11-openjdk-11.0.11.0.9-0.1.mga8.x86_64/jre $ eclipse Gui launches to the Welcome screen and reports "Error resolving “org.eclipse.ui.intro”: Name or service not known"
As Herman discovered, there is no /usr/share/jetty. The online documentation implies that the JETTY_HOME environment variable should already be defined and states that this value must not be changed. That cannot be correct if it does not exist. $ export JETTY_HOME='/usr/share/java/jetty' $ ll $JETTY_HOME total 2512 -rw-r--r-- 1 root root 314337 Dec 3 22:36 jetty-client.jar -rw-r--r-- 1 root root 15390 Dec 3 22:36 jetty-continuation.jar -rw-r--r-- 1 root root 214664 Dec 3 22:36 jetty-http.jar -rw-r--r-- 1 root root 168897 Dec 3 22:36 jetty-io.jar -rw-r--r-- 1 root root 37603 Dec 3 22:36 jetty-jaas.jar -rw-r--r-- 1 root root 32358 Dec 3 22:36 jetty-jmx.jar -rw-r--r-- 1 root root 108484 Dec 3 22:36 jetty-security.jar -rw-r--r-- 1 root root 707230 Dec 3 22:36 jetty-server.jar -rw-r--r-- 1 root root 135874 Dec 3 22:36 jetty-servlet.jar -rw-r--r-- 1 root root 55246 Dec 3 22:36 jetty-util-ajax.jar -rw-r--r-- 1 root root 565304 Dec 3 22:36 jetty-util.jar -rw-r--r-- 1 root root 130301 Dec 3 22:36 jetty-webapp.jar -rw-r--r-- 1 root root 58293 Dec 3 22:36 jetty-xml.jar So maybe 'start.jar' is a coverall for any of those applications? $ cd $JETTY_BASE $ java -jar $JETTY_HOME/jetty-client.jar no main manifest attribute, in /usr/share/java/jetty/jetty-client.jar
Eclipse now starts up but freezes on the Welcome screen.
@Nicolas, regarding the Eclipse failure: Error resolving “org.eclipse.ui.intro”: Name or service not known Does that mean that something is missing from the java environment on this machine? How to diagnose this?
Keywords: (none) => feedback
Further to comment 20: $ locate org.eclipse.ui.intro /org.eclipse.ui.intro.universal .... /usr/lib/eclipse/plugins/org.eclipse.ui.intro.* .....
Strange. The package jetty has no requires, suggests, recommends or files. I'd expect it to be a task package that would require at least some of the other packages, but as is, it serves no purpose. That however is not a regression. According to https://www.eclipse.org/jetty/documentation/jetty-9/index.html#quick-start there is supposed to be a start.jar file. That's missing, but again that is not a regression. With the current directory /usr/share/java/jetty running # java -jar jetty-client.jar no main manifest attribute, in jetty-client.jar Seems there is no main manifest attribute in any of the jetty jar files. This seems to be an unusable package, unless there are Mageia specific instructions provided for how it's supposed to be run. There is an open bug report, bug 8592 from 6 years ago. I suspect no one has used it since then and updates just passed based on clean install over the release version since then. If I'm correct that the package is completely broken, it should be dropped from cauldron, and not updated further for Mageia 8.
CC: (none) => davidwhodgins
Debian has issued an advisory today (August 2): https://www.debian.org/security/2022/dsa-5198 The issues are fixed upstream in 9.4.47: https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOKeywords: feedback => (none)Status comment: (none) => Fixed upstream in 9.4.47Summary: jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5,9], CVE-2021-3442[89] => jetty new security issues CVE-2020-27223 CVE-2021-2816[3-5,9], CVE-2021-3442[89], CVE-2022-204[78]Version: 8 => CauldronSeverity: major => criticalAssignee: qa-bugs => java
Hi, After looking at that package, I think that it cannot do anything useful since we switched it to a minimal build (because we had to drop dependencies needed to build it completely). It is required by no other package so, IMHO, it should be dropped from Cauldron and we could close that bug as WONTFIX because, even if it has security issues in the code, nobody can exploit them. Best regards, Nico.
CC: (none) => nicolas.salguero
Sounds good.
done
Status: NEW => RESOLVEDResolution: (none) => WONTFIX
Are you sure??? jetty do not provides just one pkg but some others: jetty-9.4.43-2.mga9.src.rpm provides: jetty-9.4.43-2.mga9.noarch.rpm jetty-xml-9.4.43-2.mga9.noarch.rpm jetty-jmx-9.4.43-2.mga9.noarch.rpm jetty-webapp-9.4.43-2.mga9.noarch.rpm jetty-security-9.4.43-2.mga9.noarch.rpm jetty-servlet-9.4.43-2.mga9.noarch.rpm jetty-io-9.4.43-2.mga9.noarch.rpm jetty-http-9.4.43-2.mga9.noarch.rpm jetty-jaas-9.4.43-2.mga9.noarch.rpm jetty-client-9.4.43-2.mga9.noarch.rpm jetty-continuation-9.4.43-2.mga9.noarch.rpm jetty-util-ajax-9.4.43-2.mga9.noarch.rpm jetty-server-9.4.43-2.mga9.noarch.rpm jetty-util-9.4.43-2.mga9.noarch.rpm jetty-javadoc-9.4.43-2.mga9.noarch.rpm
CC: (none) => geiger.david68210
I do not see any reason to drop it right now!
Is there a reason to keep it? IIRC it was originally imported as a dep of Eclipse, which we've since dropped. Also, Claire filed a bug several years ago for it using a port which didn't match the documentation, which was completely ignored.
$ urpmq --whatrequires-recursive jetty-io|grep -v ^jetty|sort -u buildnumber-maven-plugin java-diff-utils-jgit jboss-parent jgit maven-scm maven-scm-test shrinkwrap-depchain shrinkwrap-depchain-java7 shrinkwrap-parent