jetty9 - Debian Package Tracker

general

source: jetty9 (main)
version: 9.4.39-1
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Emmanuel Bourg [DMD]
arch: all
std-ver: 4.5.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 9.2.21-1+deb9u1
old-sec: 9.2.30-0+deb9u1
old-bpo: 9.2.26-1~bpo9+1
stable: 9.4.15-1
stable-bpo: 9.4.39-1~bpo10+1
testing: 9.4.39-1
unstable: 9.4.39-1

versioned links

9.2.21-1+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.2.26-1~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.2.30-0+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.4.15-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.4.39-1~bpo10+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.4.39-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

jetty9 (5 bugs: 2, 3, 0, 0)
libjetty9-extra-java
libjetty9-java

action needed

A new upstream version is available: 9.4.42 high

A new upstream version 9.4.42 is available, you should consider packaging it.

Created: 2021-03-29 Last update: 2021-06-13 04:03

9 security issues in buster high

There are 9 open security issues in buster.

7 important issues:

CVE-2020-27216: In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
CVE-2020-27218: In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.
CVE-2020-27223: In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
CVE-2021-28163: In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
CVE-2021-28164: In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
CVE-2021-28165: In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CVE-2021-28169: For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

2 issues left for the package maintainer to handle:

CVE-2019-10241: (needs triaging) In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CVE-2019-10247: (needs triaging) In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-02-19 Last update: 2021-06-10 23:32

3 security issues in stretch high

There are 3 open security issues in stretch.

1 important issue:

CVE-2021-28169: For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

2 ignored issues:

CVE-2020-27218: In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.
CVE-2021-28165: In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

Created: 2021-06-10 Last update: 2021-06-10 23:32

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2021-28169: For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

Created: 2021-06-10 Last update: 2021-06-10 23:32

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2021-28169: For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

Created: 2021-06-10 Last update: 2021-06-10 23:32

lintian reports 2 errors and 56 warnings high

Lintian reports 2 errors and 56 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-05-27 Last update: 2021-05-27 22:04

Depends on packages which need a new maintainer normal

The packages that jetty9 depends on which need a new maintainer are:

dh-exec (#851746)
- Build-Depends: dh-exec

Created: 2019-11-22 Last update: 2021-06-13 02:31

news

[rss feed]

[2021-05-14] Accepted jetty9 9.2.30-0+deb9u1 (source) into oldstable (Sylvain Beucler)
[2021-05-04] Accepted jetty9 9.4.39-1~bpo10+1 (source) into buster-backports->backports-policy, buster-backports (Debian FTP Masters) (signed by: Emmanuel Bourg)
[2021-04-19] jetty9 9.4.39-1 MIGRATED to testing (Debian testing watch)
[2021-04-16] Accepted jetty9 9.4.38-1~bpo10+1 (source) into buster-backports->backports-policy, buster-backports (Debian FTP Masters) (signed by: Emmanuel Bourg)
[2021-04-13] Accepted jetty9 9.4.39-1 (source) into unstable (Emmanuel Bourg)
[2021-03-11] jetty9 9.4.38-1 MIGRATED to testing (Debian testing watch)
[2021-02-28] Accepted jetty9 9.4.38-1 (source) into unstable (Emmanuel Bourg)
[2021-02-03] Accepted jetty9 9.4.36-1~bpo10+1 (source) into buster-backports (Emmanuel Bourg)
[2021-01-23] jetty9 9.4.36-1 MIGRATED to testing (Debian testing watch)
[2021-01-17] Accepted jetty9 9.4.36-1 (source) into unstable (Emmanuel Bourg)
[2021-01-05] Accepted jetty9 9.4.35-1~bpo10+1 (source) into buster-backports (Emmanuel Bourg)
[2021-01-05] jetty9 9.4.35-1 MIGRATED to testing (Debian testing watch)
[2020-12-30] Accepted jetty9 9.4.35-1 (source) into unstable (Emmanuel Bourg)
[2020-10-27] Accepted jetty9 9.4.33-1~bpo10+1 (source) into buster-backports (Emmanuel Bourg)
[2020-10-27] jetty9 9.4.33-1 MIGRATED to testing (Debian testing watch)
[2020-10-22] Accepted jetty9 9.4.33-1 (source) into unstable (Emmanuel Bourg)
[2020-09-16] Accepted jetty9 9.4.31-1~bpo10+1 (source) into buster-backports (Emmanuel Bourg)
[2020-09-08] jetty9 9.4.31-1 MIGRATED to testing (Debian testing watch)
[2020-09-03] Accepted jetty9 9.4.31-1 (source) into unstable (Emmanuel Bourg)
[2020-06-02] jetty9 9.4.29-1 MIGRATED to testing (Debian testing watch)
[2020-05-27] Accepted jetty9 9.4.29-1 (source) into unstable (Emmanuel Bourg)
[2020-05-27] Accepted jetty9 9.4.28-1~bpo10+1 (source all) into buster-backports (Emmanuel Bourg)
[2020-04-19] jetty9 9.4.28-1 MIGRATED to testing (Debian testing watch)
[2020-04-13] Accepted jetty9 9.4.28-1 (source) into unstable (Emmanuel Bourg)
[2020-04-11] jetty9 9.4.27-1 MIGRATED to testing (Debian testing watch)
[2020-04-05] Accepted jetty9 9.4.27-1 (source) into unstable (Emmanuel Bourg)
[2020-03-03] Accepted jetty9 9.4.26-1~bpo10+1 (source all) into buster-backports, buster-backports (Debian FTP Masters) (signed by: Emmanuel Bourg)
[2020-02-02] jetty9 9.4.26-1 MIGRATED to testing (Debian testing watch)
[2020-01-27] Accepted jetty9 9.4.26-1 (source) into unstable (Emmanuel Bourg)
[2019-07-18] jetty9 9.4.18-2 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 5
RC: 2
I&N: 3
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (2, 56)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 9.4.39-1
5 bugs