From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id QGhbFbH9ZmCUXAEAgWs5BA (envelope-from ) for ; Fri, 02 Apr 2021 13:19:13 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id qDVUD7H9ZmBxEgAA1q6Kng (envelope-from ) for ; Fri, 02 Apr 2021 11:19:13 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 7473B192EB for ; Fri, 2 Apr 2021 13:19:12 +0200 (CEST) Received: from localhost ([::1]:54564 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSHpX-0004oT-CK for larch@yhetil.org; Fri, 02 Apr 2021 07:19:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48646) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSHpP-0004oM-8e for bug-guix@gnu.org; Fri, 02 Apr 2021 07:19:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:47726) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lSHpP-0001XV-1Z for bug-guix@gnu.org; Fri, 02 Apr 2021 07:19:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lSHpO-0005ru-Tw for bug-guix@gnu.org; Fri, 02 Apr 2021 07:19:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47562: java-eclipse-jetty-* packages are vulnerable to CVE-2021-28165, CVE-2021-28164 and CVE-2021-28163 (also probably MANY others, 4y w/o upgrade) Resent-From: Julien Lepiller Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 02 Apr 2021 11:19:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47562 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 47562@debbugs.gnu.org X-Debbugs-Original-To: =?UTF-8?Q?L=C3=A9o?= Le Bouter via Bug reports for GNU Guix X-Debbugs-Original-Cc: =?UTF-8?Q?L=C3=A9o?= Le Bouter , 47562@debbugs.gnu.org Received: via spool by 47562-submit@debbugs.gnu.org id=B47562.161736230022487 (code B ref 47562); Fri, 02 Apr 2021 11:19:02 +0000 Received: (at 47562) by debbugs.gnu.org; 2 Apr 2021 11:18:20 +0000 Received: from localhost ([127.0.0.1]:59268 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSHoi-0005qc-6o for submit@debbugs.gnu.org; Fri, 02 Apr 2021 07:18:20 -0400 Received: from lepiller.eu ([89.234.186.109]:59182) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSHof-0005qT-QY for 47562@debbugs.gnu.org; Fri, 02 Apr 2021 07:18:19 -0400 Received: from lepiller.eu (localhost [127.0.0.1]) by lepiller.eu (OpenSMTPD) with ESMTP id 0f7ebfb0; Fri, 2 Apr 2021 11:18:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=lepiller.eu; h=date:from :to:cc:subject:message-id:in-reply-to:references:mime-version :content-type; s=dkim; bh=qmjfxnp8FCMtVRk8R3+29BC3OkmrkaEQCJOyvr 9EKd4=; b=Wr1ZpEn8R3eFtEV0gzcRW3PfCJ6DyB39d75q8ey9BRYcCAvQD8iLnH EbFKPc4hahwW66u7M3eYAFGe49MIUW4ajDU7FIN/D97bloKEpfwWwn5ZYTHwcLZJ JnM+bYk0Q5jEGvy8dDxvCKYQ86F9kJHkk+gOiWhzNeq+9Uu97SsKZYjNh7VNCRsm i/xtT4fKgvtEb9CdXG+BijO/1qwQi3hSDe09BctqX2VN7gINGB6VgLjLoPXe3u7K aPCdCz4HWx4uhgwKpkMtYWnHWEtsHwm3SEUOnFxRAzLiJdzoqSZ6FMgcPDrcRTBm gNSI0NXR5RW/9vz4ViOOni0MpTQWkFyg== Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id 917bdb11 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Fri, 2 Apr 2021 11:18:15 +0000 (UTC) Date: Fri, 2 Apr 2021 13:18:05 +0200 From: Julien Lepiller Message-ID: <20210402131805.3ade4377@tachikoma.lepiller.eu> In-Reply-To: <0fc1caefa7b1dd2b41639a9cc58f7d6da4c1a23d.camel@zaclys.net> References: <0fc1caefa7b1dd2b41639a9cc58f7d6da4c1a23d.camel@zaclys.net> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="MP_/G4GRTE6Ox3D=ogSLsgBpP26" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617362352; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=qkHo53RevZjxEOifWh0uf+i46Oc33jg8vXfMTaNb6Dw=; b=QstqNTteljMgbd9SPwD7I5zsQ2kdy+tkARQGNM3gzGaJ5hdetMi4WY2XJqw7xaObI+FFnZ da2pk6MyW9WkZRT9l2OCurQUN0ehRmcCVM7gdZ0ZkBrI4YAVM6wjsBBWynIXM6ewpd3AQ/ s87DH1mQOI0jA0LrahfSK2en6NU8QsFiUNbbcsvkMdyScp+BjdIBuCzko9F0+BPNMMLmdY nZuopTkLQHj6D/Tau5mhe2SwCVZJ0ndkPoCWr+4AHBUACdYoBFyu0nnK9yNdeA2DzgNXgF v1Km2dKlbX5+pxW4RDnpfiIAGHSdSyWTt8b1mHkbJ63v9UGRHR4hcjtDa3Vnxw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617362352; a=rsa-sha256; cv=none; b=IuBCByLcdSXbJqdt7cVKZvzWLYbxayfWxse3f2Ta9fQK3TQXY+W44sfsZ2jNil234eaKAK D4crO4kqowXFXrkbr97VdRUf8fts+q3aN4W8dtjJSsalktdUIXMKqaESRciyV8mtzIGOMy 8vD4Zo1efyy3Rh3qTccMa0lJFPzCyjF4/UYcZ3TPF9EDdSPA8WgDpWzKWMkv8eNB6wdRMg TrKzJCmFSCAJQ8GUI6vqjTZRoPSqdARB8bnVvujOA8UX2dT/85Wc6jGSOwaKsqRlIglUIZ pwKrEvlwuRpe/uHH9ZNv1DNAFTHVhg+s2b7NCU53C0MD+Yo+b2diLT66OHG+4g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lepiller.eu header.s=dkim header.b=Wr1ZpEn8; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: 0.17 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lepiller.eu header.s=dkim header.b=Wr1ZpEn8; dmarc=fail reason="SPF not aligned (relaxed)" header.from=lepiller.eu (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 7473B192EB X-Spam-Score: 0.17 X-Migadu-Scanner: scn0.migadu.com X-TUID: mJCh4xqEJe1/ --MP_/G4GRTE6Ox3D=ogSLsgBpP26 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Le Fri, 02 Apr 2021 12:37:27 +0200, L=C3=A9o Le Bouter via Bug reports for GNU Guix a =C3=A9= crit : > CVE-2021-28165 01.04.21 17:15 > In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and > 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a > large invalid TLS frame. >=20 > CVE-2021-28164 01.04.21 17:15 > In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default > compliance mode allows requests with URIs that contain %2e or %2e%2e > segments to access protected resources within the WEB-INF directory. > For example a request to /context/%2e/WEB-INF/web.xml can retrieve the > web.xml file. This can reveal sensitive information regarding the > implementation of a web application. >=20 > CVE-2021-28163 01.04.21 17:15 > In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and > 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a > symlink, the contents of the webapps directory is deployed as a static > webapp, inadvertently serving the webapps themselves and anything else > that might be in that directory. >=20 > The fix is to upgrade to latest version, currently: 9.4.39.v20210325 Hi Guix! attached is a patch for these security issues. I'm not very happy with them, because I had to do many things, but when updating 4 yo packages, it's somewhat expected. The packages now require junit 5 to run the tests, so I had to disable them, and dependencies have changed a bit, with the notable addition of util-ajax. Unfortunately, I cannot update the 9.2.* versions, and jetty-test-classes fails to build, though it's not needed anymore as it's only used during tests. I believe I added these packages initially only because I didn't want users to mistakenly install the 9.2.* versions that were not the latest at the time. We might want to update to jetty 11 or figure out how to build junit 5, which has quite a complex dependency graph, with a few cycles. Thanks L=C3=A9o for noticing this! --MP_/G4GRTE6Ox3D=ogSLsgBpP26 Content-Type: text/x-patch Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=0001-gnu-java-eclipse-jetty-util-Update-to-9.4.39-securit.patch >From d5e5f91b523fb12f452a28648c67531e362a7637 Mon Sep 17 00:00:00 2001 From: Julien Lepiller Date: Fri, 2 Apr 2021 12:55:16 +0200 Subject: [PATCH] gnu: java-eclipse-jetty-util: Update to 9.4.39 [security fixes]. Fixes CVE-2021-28165 - jetty server high CPU when client send data length > 17408, CVE-2021-28164 - Normalize ambiguous URIs and CVE-2021-28163 - Exclude webapps directory from deployment scan. * gnu/packages/java.scm (java-eclipse-jetty-util): Update to 9.4.39. (java-eclipse-jetty-util-ajax): New variable. (java-eclipse-jetty-util, java-eclipse-jetty-io, java-eclipse-jetty-http) (java-eclipse-jetty-jmx, java-eclipse-jetty-server) (java-eclipse-jetty-security, java-eclipse-jetty-servlet) (java-eclipse-jetty-xml, java-eclipse-jetty-webapp): Disable tests. [native-inputs]: Remove test dependencies. --- gnu/packages/web.scm | 43 ++++++++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 19 deletions(-) diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index 7bc638ba88..7b0aee3b31 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -6830,18 +6830,19 @@ Web Server.") (define-public java-eclipse-jetty-util (package (name "java-eclipse-jetty-util") - (version "9.4.6") + (version "9.4.39") (source (origin (method url-fetch) (uri (string-append "https://github.com/eclipse/jetty.project/" - "archive/jetty-" version ".v20170531.tar.gz")) + "archive/jetty-" version ".v20210325.tar.gz")) (sha256 (base32 - "0x7kbdvkmgr6kbsmbwiiyv3bb0d6wk25frgvld9cf8540136z9p1")))) + "0b4hy4zmdmfbqk9bzmxk7v75y2ysqiappkip4z3hb9lxjvjh0b19")))) (build-system ant-build-system) (arguments `(#:jar-name "eclipse-jetty-util.jar" #:source-dir "src/main/java" + #:tests? #f; require junit 5 #:test-exclude (list "**/Abstract*.java" ;; requires network @@ -6860,11 +6861,6 @@ Web Server.") (inputs `(("slf4j" ,java-slf4j-api) ("servlet" ,java-javaee-servletapi))) - (native-inputs - `(("junit" ,java-junit) - ("hamcrest" ,java-hamcrest-all) - ("perf-helper" ,java-eclipse-jetty-perf-helper) - ("test-helper" ,java-eclipse-jetty-test-helper))) (home-page "https://www.eclipse.org/jetty/") (synopsis "Utility classes for Jetty") (description "The Jetty Web Server provides an HTTP server and Servlet @@ -6925,6 +6921,7 @@ or embedded instantiation. This package provides utility classes.") `(#:jar-name "eclipse-jetty-io.jar" #:source-dir "src/main/java" #:jdk ,icedtea-8 + #:tests? #f; require junit 5 #:test-exclude (list "**/Abstract*.java" ;; Abstract class "**/EndPointTest.java") @@ -6966,6 +6963,7 @@ or embedded instantiation. This package provides IO-related utility classes.")) `(#:jar-name "eclipse-jetty-http.jar" #:source-dir "src/main/java" #:jdk ,icedtea-8 + #:tests? #f; require junit 5 #:phases (modify-phases %standard-phases (add-before 'configure 'chdir @@ -7101,9 +7099,6 @@ or embedded instantiation. This package provides the JMX management."))) ("io" ,java-eclipse-jetty-io) ("jmx" ,java-eclipse-jetty-jmx) ("util" ,java-eclipse-jetty-util))) - (native-inputs - `(("test-classes" ,java-eclipse-jetty-http-test-classes) - ,@(package-native-inputs java-eclipse-jetty-util))) (synopsis "Core jetty server artifact") (description "The Jetty Web Server provides an HTTP server and Servlet container capable of serving static and dynamic content either from a standalone @@ -7133,6 +7128,7 @@ artifact."))) `(#:jar-name "eclipse-jetty-security.jar" #:source-dir "src/main/java" #:jdk ,icedtea-8 + #:tests? #f; require junit 5 #:test-exclude (list "**/ConstraintTest.*") ; This test fails #:phases (modify-phases %standard-phases @@ -7146,9 +7142,6 @@ artifact."))) ("http" ,java-eclipse-jetty-http) ("server" ,java-eclipse-jetty-server) ("util" ,java-eclipse-jetty-util))) - (native-inputs - `(("io" ,java-eclipse-jetty-io) - ,@(package-native-inputs java-eclipse-jetty-util))) (synopsis "Jetty security infrastructure") (description "The Jetty Web Server provides an HTTP server and Servlet container capable of serving static and dynamic content either from a standalone @@ -7169,6 +7162,18 @@ infrastructure"))) `(("io" ,java-eclipse-jetty-io-9.2) ,@(package-native-inputs java-eclipse-jetty-util-9.2))))) +(define-public java-eclipse-jetty-util-ajax + (package + (inherit java-eclipse-jetty-util) + (name "java-eclipse-jetty-util-ajax") + (arguments + `(#:jar-name "eclipse-jetty-util-ajax.jar" + #:source-dir "jetty-util-ajax/src/main/java" + #:tests? #f)); require junit 5 + (inputs + `(("java-eclipse-jetty-util" ,java-eclipse-jetty-util) + ("java-javaee-servletapi" ,java-javaee-servletapi))))) + (define-public java-eclipse-jetty-servlet (package (inherit java-eclipse-jetty-util) @@ -7177,6 +7182,7 @@ infrastructure"))) `(#:jar-name "eclipse-jetty-servlet.jar" #:source-dir "src/main/java" #:jdk ,icedtea-8 + #:tests? #f; require junit 5 #:phases (modify-phases %standard-phases (add-before 'configure 'chdir @@ -7186,8 +7192,8 @@ infrastructure"))) (inputs `(("slf4j" ,java-slf4j-api) ("java-javaee-servletapi" ,java-javaee-servletapi) + ("java-eclipse-jetty-util-ajax" ,java-eclipse-jetty-util-ajax) ("http" ,java-eclipse-jetty-http) - ("http-test" ,java-eclipse-jetty-http-test-classes) ("io" ,java-eclipse-jetty-io) ("jmx" ,java-eclipse-jetty-jmx) ("security" ,java-eclipse-jetty-security) @@ -7277,6 +7283,7 @@ container."))) `(#:jar-name "eclipse-jetty-webapp.jar" #:source-dir "src/main/java" #:jdk ,icedtea-8 + #:tests? #f; require junit 5 ;; One test fails #:test-exclude (list "**/WebAppContextTest.java") #:phases @@ -7288,14 +7295,12 @@ container."))) (inputs `(("java-eclipse-jetty-util" ,java-eclipse-jetty-util) ("java-eclipse-jetty-http" ,java-eclipse-jetty-http) + ("java-eclipse-jetty-io" ,java-eclipse-jetty-io) ("java-eclipse-jetty-server" ,java-eclipse-jetty-server) ("java-eclipse-jetty-servlet" ,java-eclipse-jetty-servlet) ("java-eclipse-jetty-security" ,java-eclipse-jetty-security) ("java-eclipse-jetty-xml" ,java-eclipse-jetty-xml) - ("java-javaee-servletapi" ,java-javaee-servletapi))) - (native-inputs - `(("java-eclipse-jetty-io" ,java-eclipse-jetty-io) - ,@(package-native-inputs java-eclipse-jetty-util))))) + ("java-javaee-servletapi" ,java-javaee-servletapi))))) (define-public java-eclipse-jetty-webapp-9.2 (package -- 2.31.0 --MP_/G4GRTE6Ox3D=ogSLsgBpP26--