Bug 8465 - jetty missing update for security issue CVE-2011-4461
: jetty missing update for security issue CVE-2011-4461
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: http://lwn.net/Vulnerabilities/481977/
: has_procedure mga2-32-OK mga2-64-OK
: validated_update
  Show dependency treegraph
Reported: 2012-12-21 17:28 CET by David Walser
Modified: 2013-01-05 19:36 CET (History)
3 users (show)

See Also:
Source RPM: jetty-6.1.26-14.mga2.src.rpm
Status comment:


Description David Walser 2012-12-21 17:28:22 CET
Fedora has issued an update on January 21:

They added a patch to the same version we have in Mageia 2 here:

Cauldron is not affected as it was fixed upstream in 8.1.0.
Comment 1 D Morgan 2013-01-03 00:34:02 CET
available on testing
Comment 2 David Walser 2013-01-03 02:41:00 CET
Thanks D Morgan!


Updated jetty packages fix security vulnerability:

Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without
restricting the ability to trigger hash collisions predictably, which allows
remote attackers to cause a denial of service (CPU consumption) by sending
many crafted parameters (CVE-2011-4461).


Updated packages in core/updates_testing:

from jetty-6.1.26-14.1.mga2.src.rpm
Comment 3 claire robinson 2013-01-03 16:27:07 CET
No PoC that I can find. 

This looks to be our first update for Jetty so looking to find some documentation for testing.
Comment 4 claire robinson 2013-01-03 17:25:31 CET
Some info here http://www.eclipse.org/jetty/documentation/current/quickstart-running-jetty.html

# cd /usr/share/jetty

# java -jar start.jar

Browsing to http://localhost:8080 and clicking some of the links seems to work well but starting the jetty service with 'service jetty start' doesn't seem to start any webserver.
Comment 5 claire robinson 2013-01-03 17:55:07 CET
When started as a service it starts on port 8088 so http://localhost:8088 instead of 8080 which seems to be the default jetty port.
Comment 6 claire robinson 2013-01-03 18:11:57 CET
Another one affected by bug 2317 so will need some links when pushed.

Running checks for "jetty" using media
"Core Release" and "Core Updates Testing".
Mageia release 2 (Official) for i586
Latest version found in "Core Release" is jetty-6.1.26-14.mga2
Latest version found in "Core Updates Testing" is jetty-6.1.26-14.1.mga2
The following packages will require linking:

classpathx-mail-1.1.1-10.mga1 (Core Release)
java-1.5.0-gcj- (Core Release)
java-1.5.0-gcj-devel- (Core Release)
javamail-1.4.3-7.mga1 (Core Release)
Comment 7 claire robinson 2013-01-03 18:13:06 CET
Testing complete mga2 32

Just clicking on the example links found at http://localhost:8088 once the jetty service is started
Comment 8 claire robinson 2013-01-03 18:19:42 CET
Created bug 8592 for the 8088/8080 thing, not sure if it on purpose or by accident.
Comment 9 David Walser 2013-01-03 19:46:52 CET
Patch added to Mageia 1 SVN.  Also fixed creation of jetty user and added LSB headers to the init script.
Comment 10 claire robinson 2013-01-04 15:33:15 CET
Removing bug 2317. It does not apply here.

I had an old depcheck version on my 32 bit laptop which didn't parse package choices properly.
Comment 11 claire robinson 2013-01-04 16:56:12 CET
Testing complete mga2 64

Bug 8599 created for a potential urpmi bug noticed whilst testing


Advisory & SRPM in comment 2

Could sysadmin please push from core/updates_testing to core/updates

Comment 12 Thomas Backlund 2013-01-05 19:36:00 CET
Update pushed:

Note You need to log in before you can comment on or make changes to this bug.