Fedora has issued an update on January 21: http://lists.fedoraproject.org/pipermail/package-announce/2012-March/076411.html They added a patch to the same version we have in Mageia 2 here: http://pkgs.fedoraproject.org/cgit/jetty.git/commit/?h=f16&id=b790f86baf4c619d8baba7356aab10d9aa61199f Cauldron is not affected as it was fixed upstream in 8.1.0.
available on testing
Thanks D Morgan! Advisory: ======================== Updated jetty packages fix security vulnerability: Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters (CVE-2011-4461). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4461 http://lists.fedoraproject.org/pipermail/package-announce/2012-March/076411.html ======================== Updated packages in core/updates_testing: ======================== jetty-6.1.26-14.1.mga2 jetty-maven-plugins-6.1.26-14.1.mga2 jetty-javadoc-6.1.26-14.1.mga2 jetty-manual-6.1.26-14.1.mga2 from jetty-6.1.26-14.1.mga2.src.rpm
CC: (none) => dmorganecAssignee: dmorganec => qa-bugs
No PoC that I can find. This looks to be our first update for Jetty so looking to find some documentation for testing.
Some info here http://www.eclipse.org/jetty/documentation/current/quickstart-running-jetty.html Before ------ # cd /usr/share/jetty # java -jar start.jar Browsing to http://localhost:8080 and clicking some of the links seems to work well but starting the jetty service with 'service jetty start' doesn't seem to start any webserver.
When started as a service it starts on port 8088 so http://localhost:8088 instead of 8080 which seems to be the default jetty port.
Another one affected by bug 2317 so will need some links when pushed. ---------------------------------------- Running checks for "jetty" using media "Core Release" and "Core Updates Testing". ---------------------------------------- Mageia release 2 (Official) for i586 Latest version found in "Core Release" is jetty-6.1.26-14.mga2 Latest version found in "Core Updates Testing" is jetty-6.1.26-14.1.mga2 ---------------------------------------- The following packages will require linking: classpathx-mail-1.1.1-10.mga1 (Core Release) java-1.5.0-gcj-1.5.0.0-17.1.24.mga2 (Core Release) java-1.5.0-gcj-devel-1.5.0.0-17.1.24.mga2 (Core Release) javamail-1.4.3-7.mga1 (Core Release) ----------------------------------------
Depends on: (none) => 2317
Testing complete mga2 32 Just clicking on the example links found at http://localhost:8088 once the jetty service is started
Whiteboard: (none) => has_procedure mga2-32-OK
Created bug 8592 for the 8088/8080 thing, not sure if it on purpose or by accident.
Patch added to Mageia 1 SVN. Also fixed creation of jetty user and added LSB headers to the init script.
Removing bug 2317. It does not apply here. I had an old depcheck version on my 32 bit laptop which didn't parse package choices properly.
Depends on: 2317 => (none)
Testing complete mga2 64 Bug 8599 created for a potential urpmi bug noticed whilst testing Validating Advisory & SRPM in comment 2 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsHardware: i586 => AllWhiteboard: has_procedure mga2-32-OK => has_procedure mga2-32-OK mga2-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0002
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED