Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-changes@lists.debian.org>
Subject: Accepted jetty9 9.4.39-3+deb11u2 (source) into oldstable-proposed-updates
Date: Fri, 29 Sep 2023 19:17:33 +0000
Signed by: Markus Koschany <apo@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 28 Sep 2023 22:15:39 CEST
Source: jetty9
Architecture: source
Version: 9.4.39-3+deb11u2
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
 24fadecc143f5286e920ce9ded4251de2ea9adbf 2782 jetty9_9.4.39-3+deb11u2.dsc
 508468a2bd1a55b1e58457e1d8454c16cebe990e 59476 jetty9_9.4.39-3+deb11u2.debian.tar.xz
 1469998e6d6b5dc207ca1440edaf52c9b7fa3872 18271 jetty9_9.4.39-3+deb11u2_amd64.buildinfo
Checksums-Sha256:
 8915ebecc67a866ada050cce63b09933aa2b8405bf40ad9eaa536ec270849c9e 2782 jetty9_9.4.39-3+deb11u2.dsc
 e93ed88d26113e8f4aad741976ca29177f112b26b80df302028a75e92d14f8c5 59476 jetty9_9.4.39-3+deb11u2.debian.tar.xz
 76e3ee327804f9cc221dae5ac1334757c0d5551db93b5d618167aa5ab5d7e8ed 18271 jetty9_9.4.39-3+deb11u2_amd64.buildinfo
Changes:
 jetty9 (9.4.39-3+deb11u2) bullseye-security; urgency=high
 .
   * Team upload.
   * The org.eclipse.jetty.servlets.CGI has been deprecated. It is potentially
     unsafe to use it. The upstream developers of Jetty recommend to use Fast CGI
     instead. See also CVE-2023-36479.
   * Fix CVE-2023-26048:
     Jetty is a java based web server and servlet engine. In affected versions
     servlets with multipart support (e.g. annotated with `@MultipartConfig`)
     that call `HttpServletRequest.getParameter()` or
     `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the
     client sends a multipart request with a part that has a name but no
     filename and very large content. This happens even with the default
     settings of `fileSizeThreshold=0` which should stream the whole part
     content to disk.
   * Fix CVE-2023-26049:
     Nonstandard cookie parsing in Jetty may allow an attacker to smuggle
     cookies within other cookies, or otherwise perform unintended behavior by
     tampering with the cookie parsing mechanism.
   * Fix CVE-2023-40167:
     Prior to this version Jetty accepted the `+` character proceeding the
     content-length value in a HTTP/1 header field. This is more permissive than
     allowed by the RFC and other servers routinely reject such requests with
     400 responses. There is no known exploit scenario, but it is conceivable
     that request smuggling could result if jetty is used in combination with a
     server that does not close the connection after sending such a 400
     response.
   * CVE-2023-36479:
     Users of the CgiServlet with a very specific command structure may have the
     wrong command executed. If a user sends a request to a
     org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its
     name, the servlet will escape the command by wrapping it in quotation
     marks. This wrapped command, plus an optional command prefix, will then be
     executed through a call to Runtime.exec. If the original binary name
     provided by the user contains a quotation mark followed by a space, the
     resulting command line will contain multiple tokens instead of one.
   * Fix CVE-2023-41900:
     Jetty is vulnerable to weak authentication. If a Jetty
     `OpenIdAuthenticator` uses the optional nested `LoginService`, and that
     `LoginService` decides to revoke an already authenticated user, then the
     current request will still treat the user as authenticated. The
     authentication is then cleared from the session and subsequent requests
     will not be treated as authenticated. So a request on a previously
     authenticated session could be allowed to bypass authentication after it
     had been rejected by the `LoginService`. This impacts usages of the
     jetty-openid which have configured a nested `LoginService` and where that
     `LoginService` is capable of rejecting previously authenticated users.
Files:
 55faca405212383dd7929f285564453d 2782 java optional jetty9_9.4.39-3+deb11u2.dsc
 e361e2cbaa31fe07832a71e7ee8ee687 59476 java optional jetty9_9.4.39-3+deb11u2.debian.tar.xz
 1f3eb7b40c504c5ba845f1ae5700f37e 18271 java optional jetty9_9.4.39-3+deb11u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUV4YVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkJgUP/AqbWKMspmkdrrAv2flgvhDCxMIdGg+38RE4
hXTB7OxeYjmu1fZz1D9QkUFoy+DQlugT6T9U0xWtXFclOtfmLgd8/zn+Gwm1yNt8
ozYRGtvSK4NLY3mz8Jq50lP9DJTzzYCZKvIr6yFcUrjlf+6B8KMgoyjTAzK8agwd
MxTXPjFh80IrP2V9QjuHk+3VsLQNc4f64Eg9VUgzGV0ia2LaZXKZJOfYnS+Uh8PV
FDWygmN7SE7MZ2Sa2utSWNzgjW0OgNQM+RRyIg/js4JgJnhA535UZHP4gQ4094rJ
nNDPHy0mBQIA0pIbX2syOHt+FC3bgzNVktcbZYNMx0m6bEThukv4XIN1f54vkGZn
IZqXy/jEXTNa31bbwDM3j3sBzf6RUPs5oS6Dvh99jeiUjzGcfW9TRiZDIz9ZVRF3
3o7hkEgZe8fvJsCYdVxtva1txXZR+5aDy15JVskd7Qmbnsp7Ea8TH3VG3sQWgsn4
uD68JOWTAHN9F+quPpiXCIAOVlaIn1CCu+XIumF/JL8LQIIdjxVbNWidcD+0vPC2
k0ML2BqJIpo8OnBL2gk+Ic1yZSed6i2mBO6EpnNwJoFko2HCsbExgvByOhJBb3h3
tlw29XzemxXDyAHRpaMRtFTtk5hPyxkoFdEVW4jWYp2+5HnbZ/IdsdxWljLCk6sL
Y9vobfQ9
=oQrR
-----END PGP SIGNATURE-----
News for package jetty9
