Accepted jetty9 9.4.16-0+deb10u3 (source) into oldoldstable
- To: debian-lts-changes@lists.debian.org, dispatch@tracker.debian.org
- Subject: Accepted jetty9 9.4.16-0+deb10u3 (source) into oldoldstable
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Sat, 30 Sep 2023 12:21:31 +0000
- Debian: DAK
- Debian-architecture: source
- Debian-archive-action: accept
- Debian-changes: jetty9_9.4.16-0+deb10u3_source.changes
- Debian-source: jetty9
- Debian-suite: oldoldstable
- Debian-version: 9.4.16-0+deb10u3
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.seger; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=Z0ecYiowqcCphbJxgfgg7XnQvUIUYulSB10TYHWqzyI=; b=uvo0vrWgV/u+iwp3WIPF8I2gJb /d+qXIhRnVieXvPOvSzO6sKySgPoARv/3PFE0cN2YTP72UF/Yjgx98pzOLhvN/tcnAb0lutdSmrPY gysn11qGLtcRgM9wXa6kPsQ93+jMoPjBYzNgJnxxdfXdcjXiERCRG6FtXKWQNP6Vg5AQrqI2UHica Uyxtb/UYnz8kM7btEeYsnbUQkXh3K8bOvBHlO5hodXoUgkPEfHYbY0aOBP1zUsDEi9y3m+qJf0swX YBZoH5ejXK7OHiND6B3MTVYWzSba2UYXwg6ZdM5H3b03WuL+SsVwyAx9KZfNpXMsJswX7qO4WKn02 0pWjzArQ==;
- Mail-followup-to: debian-lts@lists.debian.org
- Message-id: <E1qmYyR-00FPQN-DV@seger.debian.org>
- Reply-to: debian-lts@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 30 Sep 2023 14:05:49 CEST
Source: jetty9
Architecture: source
Version: 9.4.16-0+deb10u3
Distribution: buster-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
1a86a746a3b4323cfeeee203bca929da0c606854 2776 jetty9_9.4.16-0+deb10u3.dsc
9cba53c059843027ebca50e1efddb56da8d091da 60636 jetty9_9.4.16-0+deb10u3.debian.tar.xz
829988b427ba39202181fb18ecb03ea56415c6f3 17838 jetty9_9.4.16-0+deb10u3_amd64.buildinfo
Checksums-Sha256:
a2e1de869bf33781c063aed30c9a6682e1958cfb5096d4afab70103cf30e2639 2776 jetty9_9.4.16-0+deb10u3.dsc
ed07f595331a2b08c195ecaef89d499f2d2e38410cfec60ca1c402029ca84000 60636 jetty9_9.4.16-0+deb10u3.debian.tar.xz
45bfbf71cbbd27cf0f6cb109ce32733e0d43e02a06c914b8f6e8c9195cded39a 17838 jetty9_9.4.16-0+deb10u3_amd64.buildinfo
Changes:
jetty9 (9.4.16-0+deb10u3) buster-security; urgency=high
.
* Team upload.
* The org.eclipse.jetty.servlets.CGI has been deprecated. It is potentially
unsafe to use it. The upstream developers of Jetty recommend to use Fast CGI
instead. See also CVE-2023-36479.
* Fix CVE-2023-26048:
Jetty is a java based web server and servlet engine. In affected versions
servlets with multipart support (e.g. annotated with `@MultipartConfig`)
that call `HttpServletRequest.getParameter()` or
`HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the
client sends a multipart request with a part that has a name but no
filename and very large content. This happens even with the default
settings of `fileSizeThreshold=0` which should stream the whole part
content to disk.
* Fix CVE-2023-26049:
Nonstandard cookie parsing in Jetty may allow an attacker to smuggle
cookies within other cookies, or otherwise perform unintended behavior by
tampering with the cookie parsing mechanism.
* Fix CVE-2023-40167:
Prior to this version Jetty accepted the `+` character proceeding the
content-length value in a HTTP/1 header field. This is more permissive than
allowed by the RFC and other servers routinely reject such requests with
400 responses. There is no known exploit scenario, but it is conceivable
that request smuggling could result if jetty is used in combination with a
server that does not close the connection after sending such a 400
response.
* CVE-2023-36479:
Users of the CgiServlet with a very specific command structure may have the
wrong command executed. If a user sends a request to a
org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its
name, the servlet will escape the command by wrapping it in quotation
marks. This wrapped command, plus an optional command prefix, will then be
executed through a call to Runtime.exec. If the original binary name
provided by the user contains a quotation mark followed by a space, the
resulting command line will contain multiple tokens instead of one.
Files:
782354ea3405aaeb71fecb8fb9ad2693 2776 java optional jetty9_9.4.16-0+deb10u3.dsc
1385fec977a157327d8798ec4e967d4e 60636 java optional jetty9_9.4.16-0+deb10u3.debian.tar.xz
0e04433cb31fe23089a1836d0ab7c7a7 17838 java optional jetty9_9.4.16-0+deb10u3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUYDz5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkEtwP/RjyTY2EWvSVCMqq7Nukf3rs0ZsdHXsDrxlI
v4NNg/znHWHeYNQOf4iw3iIKmF8lzAotsXaAjCVHap26AM3btrSKRUKuvfkkorCH
HNaQmRqu1nCcjzxsHkn/mt+iZHS1OXoCHTmKZJQXGtngnleHDQT/8r2tmcr7YInk
Ipfzfo3Ph3YDrBY7aRNhky14f4vwbVC0I4zGcyB5gQCvJFEtEIcl5H7PNkgBezU1
D5v4jpt+UstTyEWNZCom+YcfnvftJkz3QDorJQtRkrGCoL8NWIt/BTb87qTpkCSn
fxQpwSn4Cf+VofqlTnPyZyc+dlAwz211LanCXXUen45nmH5lfeEb+uxddyka7VOd
U9Wu3y5Pqogv0gAfM0UjhjZBQAHAEqJ9wvDfqB07BAH1qwhDhuHjEF3xQh1iIjl/
WZdoSVBAKTUyi6x51GasgsbRON/ap+XRHxebOIfbGMPpjG4VboxamB0Jziju0WXm
6c+OAgSPQOQwQ5NEIhu6myHcQmC5cLh2+Aruk+ixbdJybOKDvixTF9h4jm3jQ20t
sqBu8W5lBVTSZBWaYHH7ZEiuCcLtdBuC3EvwMJugEP3NxDyu4xJM4SFB3LsHZrKt
Vzol/kLtK6nr5rcKS82IlWP0EFpCI/Xrg8FjOJ0YYmSDFj8o1IMVeOLt0uqryk3T
P0f0dtYl
=7Cn3
-----END PGP SIGNATURE-----