[Git][java-team/jetty9][buster] 12 commits: New upstream version 9.4.40
Markus Koschany (@apo)
gitlab at salsa.debian.org
Mon Oct 30 20:17:50 GMT 2023
Markus Koschany pushed to branch buster at Debian Java Maintainers / jetty9
Commits:
8ff9b299 by Emmanuel Bourg at 2021-10-18T10:26:37+02:00
New upstream version 9.4.40
- - - - -
348c44a3 by Emmanuel Bourg at 2021-10-18T10:27:32+02:00
New upstream version 9.4.41
- - - - -
d63be05d by Emmanuel Bourg at 2021-10-18T10:28:25+02:00
New upstream version 9.4.42
- - - - -
2812d7f1 by Emmanuel Bourg at 2021-10-18T10:29:06+02:00
New upstream version 9.4.43
- - - - -
ff45b723 by Emmanuel Bourg at 2021-10-18T10:29:34+02:00
New upstream version 9.4.44
- - - - -
68c3a969 by Markus Koschany at 2022-02-11T10:53:57+01:00
New upstream version 9.4.45
- - - - -
e6071ff4 by Markus Koschany at 2022-02-11T11:19:54+01:00
New upstream version 9.4.45
- - - - -
ace796c1 by Emmanuel Bourg at 2022-05-02T18:34:10+02:00
New upstream version 9.4.46
- - - - -
006797f4 by Markus Koschany at 2022-07-18T13:25:59+02:00
New upstream version 9.4.48
- - - - -
b614d144 by Markus Koschany at 2022-09-22T23:40:01+02:00
New upstream version 9.4.49
- - - - -
a6be8216 by Emmanuel Bourg at 2022-11-27T22:36:01+01:00
New upstream version 9.4.50
- - - - -
084d3375 by Markus Koschany at 2023-10-30T21:17:08+01:00
Import Debian changes 9.4.50-4+deb10u1
jetty9 (9.4.50-4+deb10u1) buster-security; urgency=high
.
* Team upload.
* Backport Jetty 9 version from Bookworm.
* Revert to compat level 12 and servlet-api 3.1.
* Fix CVE-2023-36478 and CVE-2023-44487:
Two remotely exploitable security vulnerabilities were discovered in Jetty
9, a Java based web server and servlet engine. The HTTP/2 protocol
implementation did not sufficiently verify if HPACK header values exceed
their size limit. Furthermore the HTTP/2 protocol allowed a denial of
service (server resource consumption) because request cancellation can
reset many streams quickly. This problem is also known as Rapid Reset
Attack.
* Fix CVE-2020-27218:
If GZIP request body inflation is enabled and requests from different
clients are multiplexed onto a single connection, and if an attacker can
send a request with a body that is received entirely but not consumed by
the application, then a subsequent request on the same connection will see
that body prepended to its body. The attacker will not see any data but may
inject data into the body of the subsequent request.
.
jetty9 (9.4.50-4+deb12u1) bookworm-security; urgency=high
.
* Team upload.
* The org.eclipse.jetty.servlets.CGI has been deprecated. It is potentially
unsafe to use it. The upstream developers of Jetty recommend to use Fast CGI
instead. See also CVE-2023-36479.
* Fix CVE-2023-26048:
Jetty is a java based web server and servlet engine. In affected versions
servlets with multipart support (e.g. annotated with `@MultipartConfig`)
that call `HttpServletRequest.getParameter()` or
`HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the
client sends a multipart request with a part that has a name but no
filename and very large content. This happens even with the default
settings of `fileSizeThreshold=0` which should stream the whole part
content to disk.
* Fix CVE-2023-26049:
Nonstandard cookie parsing in Jetty may allow an attacker to smuggle
cookies within other cookies, or otherwise perform unintended behavior by
tampering with the cookie parsing mechanism.
* Fix CVE-2023-40167:
Prior to this version Jetty accepted the `+` character proceeding the
content-length value in a HTTP/1 header field. This is more permissive than
allowed by the RFC and other servers routinely reject such requests with
400 responses. There is no known exploit scenario, but it is conceivable
that request smuggling could result if jetty is used in combination with a
server that does not close the connection after sending such a 400
response.
* CVE-2023-36479:
Users of the CgiServlet with a very specific command structure may have the
wrong command executed. If a user sends a request to a
org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its
name, the servlet will escape the command by wrapping it in quotation
marks. This wrapped command, plus an optional command prefix, will then be
executed through a call to Runtime.exec. If the original binary name
provided by the user contains a quotation mark followed by a space, the
resulting command line will contain multiple tokens instead of one.
* Fix CVE-2023-41900:
Jetty is vulnerable to weak authentication. If a Jetty
`OpenIdAuthenticator` uses the optional nested `LoginService`, and that
`LoginService` decides to revoke an already authenticated user, then the
current request will still treat the user as authenticated. The
authentication is then cleared from the session and subsequent requests
will not be treated as authenticated. So a request on a previously
authenticated session could be allowed to bypass authentication after it
had been rejected by the `LoginService`. This impacts usages of the
jetty-openid which have configured a nested `LoginService` and where that
`LoginService` is capable of rejecting previously authenticated users.
.
jetty9 (9.4.50-4) unstable; urgency=medium
.
* Team upload.
* Revert the switch to libtomcat10-java. For now Jetty 9 only works correctly
with libtomcat9-java. (Closes: #1036798)
.
jetty9 (9.4.50-3) unstable; urgency=medium
.
* Team upload.
* Depend on libtomcat10-java instead of libtomcat9-java.
* Add tomcat10-migration.patch.
* Ignore jetty-jaspi module because it does not work with Tomcat 10 yet.
.
jetty9 (9.4.50-2) unstable; urgency=medium
.
* Depend on libeclipse-jdt-core-java instead of libecj-java
* Standards-Version updated to 4.6.2
.
jetty9 (9.4.50-1) unstable; urgency=medium
.
* New upstream release
- Refreshed the patches
.
jetty9 (9.4.49-1) unstable; urgency=medium
.
* Team upload.
* New upstream version 9.4.49.
.
jetty9 (9.4.48-1) unstable; urgency=high
.
* Team upload.
* New upstream version 9.4.48.
- Fix CVE-2022-2048 and CVE-2022-2047.
.
jetty9 (9.4.46-1) unstable; urgency=medium
.
* New upstream release
- Refreshed the patches
.
jetty9 (9.4.45-1) unstable; urgency=medium
.
* Team upload.
* New upstream version 9.4.45.
* Remove haproxy binary file from the sources.
.
jetty9 (9.4.44-4) unstable; urgency=medium
.
* Team upload.
* Add servlet-api.patch and correct the API version in jetty-home/pom.xml.
This used to work because libservlet3.1-java was pulled in as a transitive
dependency. (Closes: #1002274)
.
jetty9 (9.4.44-3) unstable; urgency=medium
.
* Team upload.
* Ignore junit-bom artifact of scope import.
The junit-bom dependency caused several FTBFS because of
reverse-dependencies that did not depend on junit5.
.
jetty9 (9.4.44-2) unstable; urgency=medium
.
* Team upload.
* Update README.Debian and clarify how to override systemd security features.
(Closes: #994440)
* Replace deprecated configuration options in start.ini.
Thanks to Martin van Es for the report. (Closes: #994441)
.
jetty9 (9.4.44-1) unstable; urgency=medium
.
* New upstream release
- Refreshed the patches
- Updated the Maven rules
* Depend on libservlet-api-java instead of libservlet3.1-java
* No longer remove the jetty user/group when purging the package
* Standards-Version updated to 4.6.0.1
* Switch to debhelper level 13
.
jetty9 (9.4.39-3) unstable; urgency=high
.
* Team upload.
* Fix CVE-2021-34429:
URIs can be crafted using some encoded characters to access the content of
the WEB-INF directory and/or bypass some security constraints.
Thanks to Salvatore Bonaccorso for the report. (Closes: #991188)
.
jetty9 (9.4.39-2) unstable; urgency=high
.
* Team upload.
* Fix CVE-2021-28169:
It is possible for requests to the ConcatServlet with a doubly encoded path
to access protected resources within the WEB-INF directory. For example a
request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file.
This can reveal sensitive information regarding the implementation of a web
application.
* Fix CVE-2021-34428:
If an exception is thrown from the SessionListener#sessionDestroyed()
method, then the session ID is not invalidated in the session ID manager.
On deployments with clustered sessions and multiple contexts this can
result in a session not being invalidated. This can result in an
application used on a shared computer being left logged in.
.
Thanks to Salvatore Bonaccorso for the report. (Closes: #989999, #990578)
.
jetty9 (9.4.39-1) unstable; urgency=high
.
* New upstream release
- Fixed CVE-2021-28163: If a user uses a webapps directory that is a
symlink, the contents of the webapps directory is deployed as a static
webapp, inadvertently serving the webapps themselves and anything else
that might be in that directory.
- Fixes CVE-2021-28164: The default compliance mode allows requests with
URIs that contain %2e or %2e%2e segments to access protected resources
within the WEB-INF directory. This can reveal sensitive information
regarding the implementation of a web application.
- Fixes CVE-2021-28165: CPU usage can reach 100% upon receiving a large
invalid TLS frame.
.
jetty9 (9.4.38-1) unstable; urgency=medium
.
* New upstream release
- Refreshed the patches
.
jetty9 (9.4.36-1) unstable; urgency=medium
.
* New upstream release
- Refreshed the patches
.
jetty9 (9.4.35-1) unstable; urgency=medium
.
* New upstream release
- Refreshed the patches
* Standards-Version updated to 4.5.1
.
jetty9 (9.4.33-1) unstable; urgency=medium
.
* New upstream release
- Refreshed the patches
.
jetty9 (9.4.31-1) unstable; urgency=medium
.
* New upstream release
- Refreshed the patches
.
jetty9 (9.4.29-1) unstable; urgency=medium
.
* New upstream release
- Refreshed the patches
.
jetty9 (9.4.28-1) unstable; urgency=medium
.
* New upstream release
- Refreshed the patches
* Switch to debhelper level 12
.
jetty9 (9.4.27-1) unstable; urgency=medium
.
* New upstream release
.
jetty9 (9.4.26-1) unstable; urgency=medium
.
* New upstream release
- Refreshed the patches
- Updated the Maven rules
- Build the new jetty-openid module
- Replaced the jetty-cdi-* artifacts with the unified jetty-cdi one
* Standards-Version updated to 4.5.0
.
jetty9 (9.4.18-2) unstable; urgency=medium
.
* Team upload to unstable.
* Add missing dependency on libecj-java (Closes: #924168)
* Bump Standards-Version to 4.4.0
* Add NOTICE.txt to be installed in /usr/share/doc/jetty9
.
jetty9 (9.4.18-1) experimental; urgency=medium
.
* Team upload.
* New upstream release
- Addresses CVE-2019-10241, CVE-2019-10247 (Closes: #928444)
* Freshen years in debian/copyright
* Refresh patches for new upstream version
* Add org.eclipse.jetty:infinispan-embedded et.al. to maven.ignoreRules
* Update 09-tweak-distribution patch (jetty-home pom)
- - - - -
30 changed files:
- .gitattributes
- + .github/ISSUE_TEMPLATE/issue-template.md
- + .github/ISSUE_TEMPLATE/question-template.md
- + .github/dependabot.yml
- + .github/release-config.yml
- + .github/stale.yml
- .gitignore
- CONTRIBUTING.md
- Jenkinsfile
- Jmh_Jenkinsfile
- KEYS.txt
- LICENSE
- NOTICE.txt
- README.md
- VERSION.txt
- aggregates/jetty-all-compact3/pom.xml
- aggregates/jetty-all/pom.xml
- aggregates/jetty-websocket-all/pom.xml
- apache-jsp/pom.xml
- apache-jsp/src/main/config/modules/apache-jsp.mod
- apache-jsp/src/main/java/org/eclipse/jetty/apache/jsp/JettyJasperInitializer.java
- apache-jsp/src/main/java/org/eclipse/jetty/apache/jsp/JettyTldPreScanned.java
- apache-jsp/src/main/java/org/eclipse/jetty/apache/jsp/JuliLog.java
- apache-jsp/src/main/java/org/eclipse/jetty/jsp/JettyJspServlet.java
- apache-jsp/src/test/java/org/eclipse/jetty/jsp/TestJettyJspServlet.java
- apache-jsp/src/test/java/org/eclipse/jetty/jsp/TestJettyTldPreScanned.java
- apache-jsp/src/test/java/org/eclipse/jetty/jsp/TestJspFileNameToClass.java
- apache-jstl/pom.xml
- apache-jstl/src/main/config/modules/apache-jstl.mod
- apache-jstl/src/test/java/org/eclipse/jetty/jstl/JspConfig.java
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/java-team/jetty9/-/compare/6d98df40768f47dbc9c24ea3c9149a8686e9b297...084d3375bd99ca96a5b711e4f17cec697075e092
--
View it on GitLab: https://salsa.debian.org/java-team/jetty9/-/compare/6d98df40768f47dbc9c24ea3c9149a8686e9b297...084d3375bd99ca96a5b711e4f17cec697075e092
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20231030/0b555256/attachment.htm>
More information about the pkg-java-commits
mailing list