From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:bcc0::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id +NXuBiD0ZmB/TgEAgWs5BA (envelope-from ) for ; Fri, 02 Apr 2021 12:38:24 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id qFi9ACD0ZmAKcgAA1q6Kng (envelope-from ) for ; Fri, 02 Apr 2021 10:38:24 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 2E73BD546 for ; Fri, 2 Apr 2021 12:38:23 +0200 (CEST) Received: from localhost ([::1]:58250 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSHC2-0000nS-AO for larch@yhetil.org; Fri, 02 Apr 2021 06:38:22 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40332) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSHBi-0000n0-BQ for bug-guix@gnu.org; Fri, 02 Apr 2021 06:38:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:47685) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lSHBi-0000t2-4C for bug-guix@gnu.org; Fri, 02 Apr 2021 06:38:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lSHBi-0002jS-0x for bug-guix@gnu.org; Fri, 02 Apr 2021 06:38:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47562: java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade) Resent-From: =?UTF-8?Q?L=C3=A9o?= Le Bouter Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 02 Apr 2021 10:38:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 47562 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 47562@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.161735985810470 (code B ref -1); Fri, 02 Apr 2021 10:38:01 +0000 Received: (at submit) by debbugs.gnu.org; 2 Apr 2021 10:37:38 +0000 Received: from localhost ([127.0.0.1]:59231 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSHBK-0002io-5a for submit@debbugs.gnu.org; Fri, 02 Apr 2021 06:37:38 -0400 Received: from lists.gnu.org ([209.51.188.17]:59856) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSHBI-0002ih-SO for submit@debbugs.gnu.org; Fri, 02 Apr 2021 06:37:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40250) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSHBI-0000iz-LH for bug-guix@gnu.org; Fri, 02 Apr 2021 06:37:36 -0400 Received: from mail.zaclys.net ([178.33.93.72]:36513) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSHBG-0000bE-HV for bug-guix@gnu.org; Fri, 02 Apr 2021 06:37:36 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 132AbVan014903 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 2 Apr 2021 12:37:32 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 132AbVan014903 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617359852; bh=IIfLUOi1xHbJhpShtb9t0zkGEJKjdUDeY6jYdx/jBFA=; h=Subject:From:To:Date:From; b=Hg52s0kwGH7UxJ989UzvZyXkoo5iYV9a2gWzgjASoz7iMTXUfO1VXrvkYdynfg0Bt Z+0E3Ih4ESWeh3AxbEucQIgC5bZjLIVPBSBdl4CmX/02+EGWJ/mxZF9Yc65sZ0kTns IS3dW7lduv0LF1uKyoJOxFERSnMkrLlJtwRCJcUA= Message-ID: <0fc1caefa7b1dd2b41639a9cc58f7d6da4c1a23d.camel@zaclys.net> Date: Fri, 02 Apr 2021 12:37:27 +0200 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-FoU1qwsq70HtaBfdY19n" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" Reply-to: =?UTF-8?Q?L=C3=A9o?= Le Bouter From: =?UTF-8?Q?L=C3=A9o?= Le Bouter via Bug reports for GNU Guix X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617359903; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:list-id:list-help:list-unsubscribe:list-subscribe: list-post:dkim-signature; bh=IIfLUOi1xHbJhpShtb9t0zkGEJKjdUDeY6jYdx/jBFA=; b=Hkp8njl4RlhKN0ML8FXjW52Mg6UCGf+fGkPOdUMKZZXxARrlBVPok/DLA8NAFL1XucW1vY tVbLa9PAvarWFhvu8cN4FB5AeH4Tf/nPVj7SeTj3BZ302MsCD9zQekvI0SSr7I5GxaG6HV Tz8hpZaM6lwXGXIPqeDwwbkTdO/bEH1iB/pPuhfsfF0RbwImMEeSC49S3NWO6F/v6uyg2E nv6Gpxvs4XdkowTqH0YnwmZrzTpxqMS5OmgXNW2/S2rbcIbChCTL9LC8FQUxqP9zeEwtCo WxP03PHiqn2kRqhEizHKBquWj0PAbA5G9JgsIJkeT0j3Vneu37FALm6PBUWJ2Q== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617359903; a=rsa-sha256; cv=none; b=lMA8y7bIljSsbolD456NccoHsrKo1/F/DHjnEnGu7QdRX4xVRuNn+PMNIxsQRjwMY0v358 RRAQEiWifsejkgIXZD01/SngW9NpBZYQON5tRMndDe5X5AnJxDS2fzmKs03wJzhbzFQ/US XmAA1fRGMEDxVm8Y/qGotWqSeLk1XL57zZu+g+wLKsvGb4NIBaHJiZG0SwIxSaK7s5HfAt qtUTSPaC3CJH3RltXjtP7/VdmuVwGIMoVS5aAYFReN7lJuifWzsoqwVft8UDmg4bMVZzzU L89jX6sNoVdOmF6laj9TpRPKLxjwpcfY5//WNZwmYVsF6RjBqLJNY0s/6ZH3Yw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=Hg52s0kw; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -5.03 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=Hg52s0kw; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 2E73BD546 X-Spam-Score: -5.03 X-Migadu-Scanner: scn0.migadu.com X-TUID: e5gFIyHYj7GE --=-FoU1qwsq70HtaBfdY19n Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable CVE-2021-28165 01.04.21 17:15 In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. CVE-2021-28164 01.04.21 17:15 In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. CVE-2021-28163 01.04.21 17:15 In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory. The fix is to upgrade to latest version, currently: 9.4.39.v20210325 --=-FoU1qwsq70HtaBfdY19n Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBm8+cACgkQRaix6GvN EKZPBw/+MydHHxnHDI4rmnhmlKuAw5dq6ZoYMjOY1HN9Cd/D8y1RveWDoQRbCe5U ziV8psCddjEcnnStCCBcdE2UUi70mqiDwm71aW7H0Ur321R5Uyi1fSq9SwiwxIpQ 0IO4MLj4wLS4WlkzZkKRP2LOaN4rsllM0awf5amuFI23HQMhMp8I4XDB8vAl3ClX EFAJK+FQqHkmth5JNFmdC6QDDw3gCG/d+qnQwhddFVf8M35SRUIzUBvGFPzaqmCG 573Wp8KqUc+0DakTJ34iCR+497yumnKtlMj86TPCMMmgZchq9ljrmIPv+7gvfYn1 WbT07r2WxXrZ0UBrpAhCsxJZZBaXrKbARMvu42rVtuVQPtT9X82+rrIU0EiagS30 L5gzRRr8e9tDj9oOaOjX9LDaA2UgahAf1I642h9kcbaWeOiC9Qow7JsuUB8JBAdx aZzW54Z/Lx1/o8PwcbbKxShCNzEzUWpBfFOb/eu0MejXcP9bhmReUlNE8uRPB3V2 Q0M/wj8iS0eJcdS1BLUEDmq+4jpjiFkVn4XGuCHFph1/isXCDaOWMRdKj9vMdcNJ c8FRtOmLerGu0dFMmMf3CwZi3ko0Im1+pNwH43KWJPSPIy+Yu4PzixQNinXtGDoC ENhjK9THh5CTgEgUhKktGi6hClMXmSXX9xlAaVZNfqKC0b3nfXk= =qIqk -----END PGP SIGNATURE----- --=-FoU1qwsq70HtaBfdY19n--