unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / Atom feed
* bug#47562: java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade)
@ 2021-04-02 10:37 Léo Le Bouter via Bug reports for GNU Guix
  2021-04-02 11:18 ` Julien Lepiller
  2021-04-12 14:41 ` Julien Lepiller
  0 siblings, 2 replies; 3+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-04-02 10:37 UTC (permalink / raw)
  To: 47562

[-- Attachment #1: Type: text/plain, Size: 1024 bytes --]

CVE-2021-28165	01.04.21 17:15
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and
11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a
large invalid TLS frame.

CVE-2021-28164	01.04.21 17:15
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default
compliance mode allows requests with URIs that contain %2e or %2e%2e
segments to access protected resources within the WEB-INF directory.
For example a request to /context/%2e/WEB-INF/web.xml can retrieve the
web.xml file. This can reveal sensitive information regarding the
implementation of a web application.

CVE-2021-28163	01.04.21 17:15
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and
11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a
symlink, the contents of the webapps directory is deployed as a static
webapp, inadvertently serving the webapps themselves and anything else
that might be in that directory.

The fix is to upgrade to latest version, currently: 9.4.39.v20210325

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* bug#47562: java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade)
  2021-04-02 10:37 bug#47562: java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade) Léo Le Bouter via Bug reports for GNU Guix
@ 2021-04-02 11:18 ` Julien Lepiller
  2021-04-12 14:41 ` Julien Lepiller
  1 sibling, 0 replies; 3+ messages in thread
From: Julien Lepiller @ 2021-04-02 11:18 UTC (permalink / raw)
  To: 47562

[-- Attachment #1: Type: text/plain, Size: 2009 bytes --]

Le Fri, 02 Apr 2021 12:37:27 +0200,
Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> a écrit :

> CVE-2021-28165	01.04.21 17:15
> In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and
> 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a
> large invalid TLS frame.
> 
> CVE-2021-28164	01.04.21 17:15
> In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default
> compliance mode allows requests with URIs that contain %2e or %2e%2e
> segments to access protected resources within the WEB-INF directory.
> For example a request to /context/%2e/WEB-INF/web.xml can retrieve the
> web.xml file. This can reveal sensitive information regarding the
> implementation of a web application.
> 
> CVE-2021-28163	01.04.21 17:15
> In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and
> 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a
> symlink, the contents of the webapps directory is deployed as a static
> webapp, inadvertently serving the webapps themselves and anything else
> that might be in that directory.
> 
> The fix is to upgrade to latest version, currently: 9.4.39.v20210325

Hi Guix!

attached is a patch for these security issues. I'm not very happy with
them, because I had to do many things, but when updating 4 yo packages,
it's somewhat expected.

The packages now require junit 5 to run the tests, so I had to disable
them, and dependencies have changed a bit, with the notable addition of
util-ajax. Unfortunately, I cannot update the 9.2.* versions, and
jetty-test-classes fails to build, though it's not needed anymore as
it's only used during tests.

I believe I added these packages initially only because I didn't want
users to mistakenly install the 9.2.* versions that were not the latest
at the time. We might want to update to jetty 11 or figure out how to
build junit 5, which has quite a complex dependency graph, with a few
cycles.

Thanks Léo for noticing this!

[-- Attachment #2: 0001-gnu-java-eclipse-jetty-util-Update-to-9.4.39-securit.patch --]
[-- Type: text/x-patch, Size: 7164 bytes --]

From d5e5f91b523fb12f452a28648c67531e362a7637 Mon Sep 17 00:00:00 2001
From: Julien Lepiller <julien@lepiller.eu>
Date: Fri, 2 Apr 2021 12:55:16 +0200
Subject: [PATCH] gnu: java-eclipse-jetty-util: Update to 9.4.39 [security
 fixes].

Fixes CVE-2021-28165 - jetty server high CPU when client send data length >
17408, CVE-2021-28164 - Normalize ambiguous URIs and CVE-2021-28163 - Exclude
webapps directory from deployment scan.

* gnu/packages/java.scm (java-eclipse-jetty-util): Update to 9.4.39.
(java-eclipse-jetty-util-ajax): New variable.
(java-eclipse-jetty-util, java-eclipse-jetty-io, java-eclipse-jetty-http)
(java-eclipse-jetty-jmx, java-eclipse-jetty-server)
(java-eclipse-jetty-security, java-eclipse-jetty-servlet)
(java-eclipse-jetty-xml, java-eclipse-jetty-webapp): Disable tests.
[native-inputs]: Remove test dependencies.
---
 gnu/packages/web.scm | 43 ++++++++++++++++++++++++-------------------
 1 file changed, 24 insertions(+), 19 deletions(-)

diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 7bc638ba88..7b0aee3b31 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -6830,18 +6830,19 @@ Web Server.")
 (define-public java-eclipse-jetty-util
   (package
     (name "java-eclipse-jetty-util")
-    (version "9.4.6")
+    (version "9.4.39")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/eclipse/jetty.project/"
-                                  "archive/jetty-" version ".v20170531.tar.gz"))
+                                  "archive/jetty-" version ".v20210325.tar.gz"))
               (sha256
                (base32
-                "0x7kbdvkmgr6kbsmbwiiyv3bb0d6wk25frgvld9cf8540136z9p1"))))
+                "0b4hy4zmdmfbqk9bzmxk7v75y2ysqiappkip4z3hb9lxjvjh0b19"))))
     (build-system ant-build-system)
     (arguments
      `(#:jar-name "eclipse-jetty-util.jar"
        #:source-dir "src/main/java"
+       #:tests? #f; require junit 5
        #:test-exclude
        (list "**/Abstract*.java"
              ;; requires network
@@ -6860,11 +6861,6 @@ Web Server.")
     (inputs
      `(("slf4j" ,java-slf4j-api)
        ("servlet" ,java-javaee-servletapi)))
-    (native-inputs
-     `(("junit" ,java-junit)
-       ("hamcrest" ,java-hamcrest-all)
-       ("perf-helper" ,java-eclipse-jetty-perf-helper)
-       ("test-helper" ,java-eclipse-jetty-test-helper)))
     (home-page "https://www.eclipse.org/jetty/")
     (synopsis "Utility classes for Jetty")
     (description "The Jetty Web Server provides an HTTP server and Servlet
@@ -6925,6 +6921,7 @@ or embedded instantiation.  This package provides utility classes.")
      `(#:jar-name "eclipse-jetty-io.jar"
        #:source-dir "src/main/java"
        #:jdk ,icedtea-8
+       #:tests? #f; require junit 5
        #:test-exclude (list "**/Abstract*.java"
                             ;; Abstract class
                             "**/EndPointTest.java")
@@ -6966,6 +6963,7 @@ or embedded instantiation.  This package provides IO-related utility classes."))
      `(#:jar-name "eclipse-jetty-http.jar"
        #:source-dir "src/main/java"
        #:jdk ,icedtea-8
+       #:tests? #f; require junit 5
        #:phases
        (modify-phases %standard-phases
          (add-before 'configure 'chdir
@@ -7101,9 +7099,6 @@ or embedded instantiation.  This package provides the JMX management.")))
        ("io" ,java-eclipse-jetty-io)
        ("jmx" ,java-eclipse-jetty-jmx)
        ("util" ,java-eclipse-jetty-util)))
-    (native-inputs
-     `(("test-classes" ,java-eclipse-jetty-http-test-classes)
-       ,@(package-native-inputs java-eclipse-jetty-util)))
     (synopsis "Core jetty server artifact")
     (description "The Jetty Web Server provides an HTTP server and Servlet
 container capable of serving static and dynamic content either from a standalone
@@ -7133,6 +7128,7 @@ artifact.")))
      `(#:jar-name "eclipse-jetty-security.jar"
        #:source-dir "src/main/java"
        #:jdk ,icedtea-8
+       #:tests? #f; require junit 5
        #:test-exclude (list "**/ConstraintTest.*") ; This test fails
        #:phases
        (modify-phases %standard-phases
@@ -7146,9 +7142,6 @@ artifact.")))
        ("http" ,java-eclipse-jetty-http)
        ("server" ,java-eclipse-jetty-server)
        ("util" ,java-eclipse-jetty-util)))
-    (native-inputs
-     `(("io" ,java-eclipse-jetty-io)
-       ,@(package-native-inputs java-eclipse-jetty-util)))
     (synopsis "Jetty security infrastructure")
     (description "The Jetty Web Server provides an HTTP server and Servlet
 container capable of serving static and dynamic content either from a standalone
@@ -7169,6 +7162,18 @@ infrastructure")))
      `(("io" ,java-eclipse-jetty-io-9.2)
        ,@(package-native-inputs java-eclipse-jetty-util-9.2)))))
 
+(define-public java-eclipse-jetty-util-ajax
+  (package
+    (inherit java-eclipse-jetty-util)
+    (name "java-eclipse-jetty-util-ajax")
+    (arguments
+     `(#:jar-name "eclipse-jetty-util-ajax.jar"
+       #:source-dir "jetty-util-ajax/src/main/java"
+       #:tests? #f)); require junit 5
+    (inputs
+     `(("java-eclipse-jetty-util" ,java-eclipse-jetty-util)
+       ("java-javaee-servletapi" ,java-javaee-servletapi)))))
+
 (define-public java-eclipse-jetty-servlet
   (package
     (inherit java-eclipse-jetty-util)
@@ -7177,6 +7182,7 @@ infrastructure")))
      `(#:jar-name "eclipse-jetty-servlet.jar"
        #:source-dir "src/main/java"
        #:jdk ,icedtea-8
+       #:tests? #f; require junit 5
        #:phases
        (modify-phases %standard-phases
          (add-before 'configure 'chdir
@@ -7186,8 +7192,8 @@ infrastructure")))
     (inputs
      `(("slf4j" ,java-slf4j-api)
        ("java-javaee-servletapi" ,java-javaee-servletapi)
+       ("java-eclipse-jetty-util-ajax" ,java-eclipse-jetty-util-ajax)
        ("http" ,java-eclipse-jetty-http)
-       ("http-test" ,java-eclipse-jetty-http-test-classes)
        ("io" ,java-eclipse-jetty-io)
        ("jmx" ,java-eclipse-jetty-jmx)
        ("security" ,java-eclipse-jetty-security)
@@ -7277,6 +7283,7 @@ container.")))
      `(#:jar-name "eclipse-jetty-webapp.jar"
        #:source-dir "src/main/java"
        #:jdk ,icedtea-8
+       #:tests? #f; require junit 5
        ;; One test fails
        #:test-exclude (list "**/WebAppContextTest.java")
        #:phases
@@ -7288,14 +7295,12 @@ container.")))
     (inputs
      `(("java-eclipse-jetty-util" ,java-eclipse-jetty-util)
        ("java-eclipse-jetty-http" ,java-eclipse-jetty-http)
+       ("java-eclipse-jetty-io" ,java-eclipse-jetty-io)
        ("java-eclipse-jetty-server" ,java-eclipse-jetty-server)
        ("java-eclipse-jetty-servlet" ,java-eclipse-jetty-servlet)
        ("java-eclipse-jetty-security" ,java-eclipse-jetty-security)
        ("java-eclipse-jetty-xml" ,java-eclipse-jetty-xml)
-       ("java-javaee-servletapi" ,java-javaee-servletapi)))
-    (native-inputs
-     `(("java-eclipse-jetty-io" ,java-eclipse-jetty-io)
-       ,@(package-native-inputs java-eclipse-jetty-util)))))
+       ("java-javaee-servletapi" ,java-javaee-servletapi)))))
 
 (define-public java-eclipse-jetty-webapp-9.2
   (package
-- 
2.31.0


^ permalink raw reply	[flat|nested] 3+ messages in thread

* bug#47562: java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade)
  2021-04-02 10:37 bug#47562: java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade) Léo Le Bouter via Bug reports for GNU Guix
  2021-04-02 11:18 ` Julien Lepiller
@ 2021-04-12 14:41 ` Julien Lepiller
  1 sibling, 0 replies; 3+ messages in thread
From: Julien Lepiller @ 2021-04-12 14:41 UTC (permalink / raw)
  To: 47562-done

Pushed as ac3bf4e4da58e985f012d216b2faf36434cdf967.




^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-04-12 14:42 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-02 10:37 bug#47562: java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade) Léo Le Bouter via Bug reports for GNU Guix
2021-04-02 11:18 ` Julien Lepiller
2021-04-12 14:41 ` Julien Lepiller

unofficial mirror of bug-guix@gnu.org 

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://yhetil.org/guix-bugs/0 guix-bugs/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 guix-bugs guix-bugs/ https://yhetil.org/guix-bugs \
		bug-guix@gnu.org
	public-inbox-index guix-bugs

Example config snippet for mirrors.
Newsgroups are available over NNTP:
	nntp://news.yhetil.org/yhetil.gnu.guix.bugs
	nntp://news.gmane.io/gmane.comp.gnu.guix.bugs


AGPL code for this site: git clone http://ou63pmih66umazou.onion/public-inbox.git