Accepted jetty9 9.4.39-3+deb11u2 (source) into oldstable-proposed-updates
- To: debian-changes@lists.debian.org
- Subject: Accepted jetty9 9.4.39-3+deb11u2 (source) into oldstable-proposed-updates
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Fri, 29 Sep 2023 19:17:33 +0000
- Debian: DAK
- Debian-architecture: source
- Debian-archive-action: accept
- Debian-changes: jetty9_9.4.39-3+deb11u2_source.changes
- Debian-source: jetty9
- Debian-suite: oldstable-proposed-updates
- Debian-version: 9.4.39-3+deb11u2
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=XcZ14weUpfnPkuw5aDLWnbQCtlKaRrTsCA3Ln30S6e4=; b=GmLTTU+0kLiBjlAFcxm8KcKybZ jiloIXMZJ/4MICPs0rqoSkrkgqA5bqVa2MQfmg6oz2OWHtcsNH2ndqJ8Li1q6tzlWYEKUkPYmnrrJ hnCk1zH8XMSTE5BW2joTrl9xEJVuF0rgTVVdOl7VpRTAylXF+jxSK/dispCI893cbKH7hYqo0IT3e iGy4pFXw7FF9hoDO8tUngoJJKn/PrXacmHORa9sYb1pa+mECgr79edETKmFcEVCsjhFC7lMfPI101 v/T5UW5V/FXGMQFrwGkgEx/5t4/uL0UUC6TnmOX3xEMN5aJvS5Cwcshp1+uQlyP43tBxTeToWSAJE odKik7ww==;
- Mail-followup-to: debian-devel@lists.debian.org
- Message-id: <E1qmIzV-0060Zj-5w@fasolo.debian.org>
- Reply-to: debian-devel@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 28 Sep 2023 22:15:39 CEST
Source: jetty9
Architecture: source
Version: 9.4.39-3+deb11u2
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
24fadecc143f5286e920ce9ded4251de2ea9adbf 2782 jetty9_9.4.39-3+deb11u2.dsc
508468a2bd1a55b1e58457e1d8454c16cebe990e 59476 jetty9_9.4.39-3+deb11u2.debian.tar.xz
1469998e6d6b5dc207ca1440edaf52c9b7fa3872 18271 jetty9_9.4.39-3+deb11u2_amd64.buildinfo
Checksums-Sha256:
8915ebecc67a866ada050cce63b09933aa2b8405bf40ad9eaa536ec270849c9e 2782 jetty9_9.4.39-3+deb11u2.dsc
e93ed88d26113e8f4aad741976ca29177f112b26b80df302028a75e92d14f8c5 59476 jetty9_9.4.39-3+deb11u2.debian.tar.xz
76e3ee327804f9cc221dae5ac1334757c0d5551db93b5d618167aa5ab5d7e8ed 18271 jetty9_9.4.39-3+deb11u2_amd64.buildinfo
Changes:
jetty9 (9.4.39-3+deb11u2) bullseye-security; urgency=high
.
* Team upload.
* The org.eclipse.jetty.servlets.CGI has been deprecated. It is potentially
unsafe to use it. The upstream developers of Jetty recommend to use Fast CGI
instead. See also CVE-2023-36479.
* Fix CVE-2023-26048:
Jetty is a java based web server and servlet engine. In affected versions
servlets with multipart support (e.g. annotated with `@MultipartConfig`)
that call `HttpServletRequest.getParameter()` or
`HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the
client sends a multipart request with a part that has a name but no
filename and very large content. This happens even with the default
settings of `fileSizeThreshold=0` which should stream the whole part
content to disk.
* Fix CVE-2023-26049:
Nonstandard cookie parsing in Jetty may allow an attacker to smuggle
cookies within other cookies, or otherwise perform unintended behavior by
tampering with the cookie parsing mechanism.
* Fix CVE-2023-40167:
Prior to this version Jetty accepted the `+` character proceeding the
content-length value in a HTTP/1 header field. This is more permissive than
allowed by the RFC and other servers routinely reject such requests with
400 responses. There is no known exploit scenario, but it is conceivable
that request smuggling could result if jetty is used in combination with a
server that does not close the connection after sending such a 400
response.
* CVE-2023-36479:
Users of the CgiServlet with a very specific command structure may have the
wrong command executed. If a user sends a request to a
org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its
name, the servlet will escape the command by wrapping it in quotation
marks. This wrapped command, plus an optional command prefix, will then be
executed through a call to Runtime.exec. If the original binary name
provided by the user contains a quotation mark followed by a space, the
resulting command line will contain multiple tokens instead of one.
* Fix CVE-2023-41900:
Jetty is vulnerable to weak authentication. If a Jetty
`OpenIdAuthenticator` uses the optional nested `LoginService`, and that
`LoginService` decides to revoke an already authenticated user, then the
current request will still treat the user as authenticated. The
authentication is then cleared from the session and subsequent requests
will not be treated as authenticated. So a request on a previously
authenticated session could be allowed to bypass authentication after it
had been rejected by the `LoginService`. This impacts usages of the
jetty-openid which have configured a nested `LoginService` and where that
`LoginService` is capable of rejecting previously authenticated users.
Files:
55faca405212383dd7929f285564453d 2782 java optional jetty9_9.4.39-3+deb11u2.dsc
e361e2cbaa31fe07832a71e7ee8ee687 59476 java optional jetty9_9.4.39-3+deb11u2.debian.tar.xz
1f3eb7b40c504c5ba845f1ae5700f37e 18271 java optional jetty9_9.4.39-3+deb11u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUV4YVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkJgUP/AqbWKMspmkdrrAv2flgvhDCxMIdGg+38RE4
hXTB7OxeYjmu1fZz1D9QkUFoy+DQlugT6T9U0xWtXFclOtfmLgd8/zn+Gwm1yNt8
ozYRGtvSK4NLY3mz8Jq50lP9DJTzzYCZKvIr6yFcUrjlf+6B8KMgoyjTAzK8agwd
MxTXPjFh80IrP2V9QjuHk+3VsLQNc4f64Eg9VUgzGV0ia2LaZXKZJOfYnS+Uh8PV
FDWygmN7SE7MZ2Sa2utSWNzgjW0OgNQM+RRyIg/js4JgJnhA535UZHP4gQ4094rJ
nNDPHy0mBQIA0pIbX2syOHt+FC3bgzNVktcbZYNMx0m6bEThukv4XIN1f54vkGZn
IZqXy/jEXTNa31bbwDM3j3sBzf6RUPs5oS6Dvh99jeiUjzGcfW9TRiZDIz9ZVRF3
3o7hkEgZe8fvJsCYdVxtva1txXZR+5aDy15JVskd7Qmbnsp7Ea8TH3VG3sQWgsn4
uD68JOWTAHN9F+quPpiXCIAOVlaIn1CCu+XIumF/JL8LQIIdjxVbNWidcD+0vPC2
k0ML2BqJIpo8OnBL2gk+Ic1yZSed6i2mBO6EpnNwJoFko2HCsbExgvByOhJBb3h3
tlw29XzemxXDyAHRpaMRtFTtk5hPyxkoFdEVW4jWYp2+5HnbZ/IdsdxWljLCk6sL
Y9vobfQ9
=oQrR
-----END PGP SIGNATURE-----