Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-changes@lists.debian.org>
Subject: Accepted jetty9 9.4.50-4+deb12u1 (source) into proposed-updates
Date: Fri, 29 Sep 2023 21:02:34 +0000
Signed by: Markus Koschany <apo@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 28 Sep 2023 00:15:54 CEST
Source: jetty9
Architecture: source
Version: 9.4.50-4+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
 ca78a244ebc816aad2afe99e926fe31a00c03129 2836 jetty9_9.4.50-4+deb12u1.dsc
 8c76edc464ea85dd4688b69c95149804b37c9e02 9859692 jetty9_9.4.50.orig.tar.xz
 1b8641731c1676ba11636676a5be350e299b4e0f 44668 jetty9_9.4.50-4+deb12u1.debian.tar.xz
 f92f12b358ded47a2b7dfdec8a1d2f5ebf50d59a 19070 jetty9_9.4.50-4+deb12u1_amd64.buildinfo
Checksums-Sha256:
 db4fef7469db1e26c1a5d6442c0d010fc560f1754d8a8abd3e89ca6c5283220c 2836 jetty9_9.4.50-4+deb12u1.dsc
 3f211a810aaed5f8d9bc52e7f82b143319d4ab62f120ee85ed3b6b35b0218ebf 9859692 jetty9_9.4.50.orig.tar.xz
 ace60d99e715accfeea4acc2975f523ce16f0f123b4344d9c6de4f448cca36e8 44668 jetty9_9.4.50-4+deb12u1.debian.tar.xz
 07f3b559b3d56172b93ad03eff46ebcb8e0ffad0bbe50b01ace135dad46ce061 19070 jetty9_9.4.50-4+deb12u1_amd64.buildinfo
Changes:
 jetty9 (9.4.50-4+deb12u1) bookworm-security; urgency=high
 .
   * Team upload.
   * The org.eclipse.jetty.servlets.CGI has been deprecated. It is potentially
     unsafe to use it. The upstream developers of Jetty recommend to use Fast CGI
     instead. See also CVE-2023-36479.
   * Fix CVE-2023-26048:
     Jetty is a java based web server and servlet engine. In affected versions
     servlets with multipart support (e.g. annotated with `@MultipartConfig`)
     that call `HttpServletRequest.getParameter()` or
     `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the
     client sends a multipart request with a part that has a name but no
     filename and very large content. This happens even with the default
     settings of `fileSizeThreshold=0` which should stream the whole part
     content to disk.
   * Fix CVE-2023-26049:
     Nonstandard cookie parsing in Jetty may allow an attacker to smuggle
     cookies within other cookies, or otherwise perform unintended behavior by
     tampering with the cookie parsing mechanism.
   * Fix CVE-2023-40167:
     Prior to this version Jetty accepted the `+` character proceeding the
     content-length value in a HTTP/1 header field. This is more permissive than
     allowed by the RFC and other servers routinely reject such requests with
     400 responses. There is no known exploit scenario, but it is conceivable
     that request smuggling could result if jetty is used in combination with a
     server that does not close the connection after sending such a 400
     response.
   * CVE-2023-36479:
     Users of the CgiServlet with a very specific command structure may have the
     wrong command executed. If a user sends a request to a
     org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its
     name, the servlet will escape the command by wrapping it in quotation
     marks. This wrapped command, plus an optional command prefix, will then be
     executed through a call to Runtime.exec. If the original binary name
     provided by the user contains a quotation mark followed by a space, the
     resulting command line will contain multiple tokens instead of one.
   * Fix CVE-2023-41900:
     Jetty is vulnerable to weak authentication. If a Jetty
     `OpenIdAuthenticator` uses the optional nested `LoginService`, and that
     `LoginService` decides to revoke an already authenticated user, then the
     current request will still treat the user as authenticated. The
     authentication is then cleared from the session and subsequent requests
     will not be treated as authenticated. So a request on a previously
     authenticated session could be allowed to bypass authentication after it
     had been rejected by the `LoginService`. This impacts usages of the
     jetty-openid which have configured a nested `LoginService` and where that
     `LoginService` is capable of rejecting previously authenticated users.
Files:
 c47be17422e74c22df3e4efced80e812 2836 java optional jetty9_9.4.50-4+deb12u1.dsc
 d8101f8fae9aadb9d5e07d34d0e38679 9859692 java optional jetty9_9.4.50.orig.tar.xz
 1a3ae6b5e67aa30bd99c276883e02662 44668 java optional jetty9_9.4.50-4+deb12u1.debian.tar.xz
 2c846c3479db4423da9556fdbccd0b67 19070 java optional jetty9_9.4.50-4+deb12u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUUqdBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk9CIP/14p8Bem+NacUzJWh/uVsNl1HtCqEL3vjYop
ho+Ym1AbPFUwzQfYK2jvgOKRaxdU9hJRv/P31YvQZxOQGOiFm2bCNelJjXRbfLpl
iJSmq3orcOPcxxskocniphxbaMn9vGYMpC0pC3jmWGv3Ej8jdLOH75SlnsojsRia
HYSwzg1bohpZ2t9E9a9dl55i8hD/WUNMJvYrngEtxWicfFKiyw5qP12ADZOGh7dl
85QepIfcGAIEeWvfgHAFCnYHOJ1/s5A3djZYD2rOgnQT10tLcDl4CGaNcDzh8/39
tTG0KnyUPLzC0I3pxD44l7QktjBYxn/LtQmIyrE5gRvyZI/p6EVN5fF1F3vx3BhO
vHjSDdgb3vfP8X7V4JwuyBqhlRZM1lEhJeBje5YrFAFK8COfF/gMvYxP5PPuAnW/
336E3zPdd90gsakahRubpgZvl3+vRBUT8pQlcxfvXAlUi6cF0khx+XAyzj27eKmd
MYHUQO8wwIkcZKLmcxiY2nMp5rnoNTCfDFi31RLBemF0zVKct8fD6qyOYoJTTzC3
N635jILInI0IRimIouX9t3vOYsSJneJ9+rqJGVL9ThivPM28MDpHIXrb4q/ZWyTi
k4MG9GrnOnygTtdP3JGTymbyf3pts/xWNV5x5GF8vAcL3nCOrKicHjLJsP8aa/Ds
70TwRHfN
=7Tie
-----END PGP SIGNATURE-----
News for package jetty9
