Bug 8465 - jetty missing update for security issue CVE-2011-4461
: jetty missing update for security issue CVE-2011-4461
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/481977/
: has_procedure mga2-32-OK mga2-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-12-21 17:28 CET by David Walser
Modified: 2013-01-05 19:36 CET (History)
3 users (show)

See Also:
Source RPM: jetty-6.1.26-14.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-12-21 17:28:22 CET
Fedora has issued an update on January 21:
http://lists.fedoraproject.org/pipermail/package-announce/2012-March/076411.html

They added a patch to the same version we have in Mageia 2 here:
http://pkgs.fedoraproject.org/cgit/jetty.git/commit/?h=f16&id=b790f86baf4c619d8baba7356aab10d9aa61199f

Cauldron is not affected as it was fixed upstream in 8.1.0.
Comment 1 D Morgan 2013-01-03 00:34:02 CET
available on testing
Comment 2 David Walser 2013-01-03 02:41:00 CET
Thanks D Morgan!

Advisory:
========================

Updated jetty packages fix security vulnerability:

Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without
restricting the ability to trigger hash collisions predictably, which allows
remote attackers to cause a denial of service (CPU consumption) by sending
many crafted parameters (CVE-2011-4461).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4461
http://lists.fedoraproject.org/pipermail/package-announce/2012-March/076411.html
========================

Updated packages in core/updates_testing:
========================
jetty-6.1.26-14.1.mga2
jetty-maven-plugins-6.1.26-14.1.mga2
jetty-javadoc-6.1.26-14.1.mga2
jetty-manual-6.1.26-14.1.mga2

from jetty-6.1.26-14.1.mga2.src.rpm
Comment 3 claire robinson 2013-01-03 16:27:07 CET
No PoC that I can find. 

This looks to be our first update for Jetty so looking to find some documentation for testing.
Comment 4 claire robinson 2013-01-03 17:25:31 CET
Some info here http://www.eclipse.org/jetty/documentation/current/quickstart-running-jetty.html

Before
------
# cd /usr/share/jetty

# java -jar start.jar

Browsing to http://localhost:8080 and clicking some of the links seems to work well but starting the jetty service with 'service jetty start' doesn't seem to start any webserver.
Comment 5 claire robinson 2013-01-03 17:55:07 CET
When started as a service it starts on port 8088 so http://localhost:8088 instead of 8080 which seems to be the default jetty port.
Comment 6 claire robinson 2013-01-03 18:11:57 CET
Another one affected by bug 2317 so will need some links when pushed.

----------------------------------------
Running checks for "jetty" using media
"Core Release" and "Core Updates Testing".
----------------------------------------
Mageia release 2 (Official) for i586
Latest version found in "Core Release" is jetty-6.1.26-14.mga2
Latest version found in "Core Updates Testing" is jetty-6.1.26-14.1.mga2
----------------------------------------
The following packages will require linking:

classpathx-mail-1.1.1-10.mga1 (Core Release)
java-1.5.0-gcj-1.5.0.0-17.1.24.mga2 (Core Release)
java-1.5.0-gcj-devel-1.5.0.0-17.1.24.mga2 (Core Release)
javamail-1.4.3-7.mga1 (Core Release)
----------------------------------------
Comment 7 claire robinson 2013-01-03 18:13:06 CET
Testing complete mga2 32

Just clicking on the example links found at http://localhost:8088 once the jetty service is started
Comment 8 claire robinson 2013-01-03 18:19:42 CET
Created bug 8592 for the 8088/8080 thing, not sure if it on purpose or by accident.
Comment 9 David Walser 2013-01-03 19:46:52 CET
Patch added to Mageia 1 SVN.  Also fixed creation of jetty user and added LSB headers to the init script.
Comment 10 claire robinson 2013-01-04 15:33:15 CET
Removing bug 2317. It does not apply here.

I had an old depcheck version on my 32 bit laptop which didn't parse package choices properly.
Comment 11 claire robinson 2013-01-04 16:56:12 CET
Testing complete mga2 64

Bug 8599 created for a potential urpmi bug noticed whilst testing

Validating

Advisory & SRPM in comment 2

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 12 Thomas Backlund 2013-01-05 19:36:00 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0002

Note You need to log in before you can comment on or make changes to this bug.