[Git][java-team/jetty9][buster] Import Debian changes 9.4.16-0+deb10u2
Markus Koschany (@apo)
gitlab at salsa.debian.org
Sun Aug 21 23:23:00 BST 2022
Markus Koschany pushed to branch buster at Debian Java Maintainers / jetty9
Commits:
7e49356f by Markus Koschany at 2022-08-22T00:22:42+02:00
Import Debian changes 9.4.16-0+deb10u2
jetty9 (9.4.16-0+deb10u2) buster-security; urgency=high
..
* Team upload.
* Fix CVE-2022-2047:
In Eclipse Jetty the parsing of the authority segment of an http scheme
URI, the Jetty HttpURI class improperly detects an invalid input as a
hostname. This can lead to failures in a Proxy scenario.
* Fix CVE-2022-2048:
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid
HTTP/2 request, the error handling has a bug that can wind up not properly
cleaning up the active connections and associated resources. This can lead
to a Denial of Service scenario where there are no enough resources left to
process good requests.
- - - - -
4 changed files:
- debian/changelog
- + debian/patches/CVE-2022-2047.patch
- + debian/patches/CVE-2022-2048.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,19 @@
+jetty9 (9.4.16-0+deb10u2) buster-security; urgency=high
+
+ * Team upload.
+ * Fix CVE-2022-2047:
+ In Eclipse Jetty the parsing of the authority segment of an http scheme
+ URI, the Jetty HttpURI class improperly detects an invalid input as a
+ hostname. This can lead to failures in a Proxy scenario.
+ * Fix CVE-2022-2048:
+ In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid
+ HTTP/2 request, the error handling has a bug that can wind up not properly
+ cleaning up the active connections and associated resources. This can lead
+ to a Denial of Service scenario where there are no enough resources left to
+ process good requests.
+
+ -- Markus Koschany <apo at debian.org> Sun, 21 Aug 2022 20:11:42 +0200
+
jetty9 (9.4.16-0+deb10u1) buster-security; urgency=high
* Team upload.
=====================================
debian/patches/CVE-2022-2047.patch
=====================================
@@ -0,0 +1,326 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 17 Aug 2022 12:58:27 +0200
+Subject: CVE-2022-2047
+
+Origin: https://github.com/eclipse/jetty.project/pull/8146
+---
+ .../java/org/eclipse/jetty/client/HttpRequest.java | 8 +-
+ .../eclipse/jetty/client/HttpClientURITest.java | 45 ++++++++++
+ .../main/java/org/eclipse/jetty/http/HttpURI.java | 25 +++++-
+ .../java/org/eclipse/jetty/http/HttpURITest.java | 95 ++++++++++++++++++++++
+ .../org/eclipse/jetty/proxy/ConnectHandler.java | 2 +-
+ .../java/org/eclipse/jetty/server/Request.java | 14 +++-
+ .../eclipse/jetty/server/HttpConnectionTest.java | 12 +--
+ 7 files changed, 187 insertions(+), 14 deletions(-)
+
+diff --git a/jetty-client/src/main/java/org/eclipse/jetty/client/HttpRequest.java b/jetty-client/src/main/java/org/eclipse/jetty/client/HttpRequest.java
+index f6a453f..2d2afa0 100644
+--- a/jetty-client/src/main/java/org/eclipse/jetty/client/HttpRequest.java
++++ b/jetty-client/src/main/java/org/eclipse/jetty/client/HttpRequest.java
+@@ -177,6 +177,8 @@ public class HttpRequest implements Request
+ String rawPath = uri.getRawPath();
+ if (rawPath == null)
+ rawPath = "";
++ if (!rawPath.startsWith("/"))
++ rawPath = "/" + rawPath;
+ this.path = rawPath;
+ String query = uri.getRawQuery();
+ if (query != null)
+@@ -855,14 +857,14 @@ public class HttpRequest implements Request
+ return result;
+ }
+
+- private URI newURI(String uri)
++ private URI newURI(String path)
+ {
+ try
+ {
+ // Handle specially the "OPTIONS *" case, since it is possible to create a URI from "*" (!).
+- if ("*".equals(uri))
++ if ("*".equals(path))
+ return null;
+- URI result = new URI(uri);
++ URI result = new URI(path);
+ return result.isOpaque() ? null : result;
+ }
+ catch (URISyntaxException x)
+diff --git a/jetty-http/src/main/java/org/eclipse/jetty/http/HttpURI.java b/jetty-http/src/main/java/org/eclipse/jetty/http/HttpURI.java
+index 9c43512..5a97bdd 100644
+--- a/jetty-http/src/main/java/org/eclipse/jetty/http/HttpURI.java
++++ b/jetty-http/src/main/java/org/eclipse/jetty/http/HttpURI.java
+@@ -189,7 +189,7 @@ public class HttpURI
+ _uri=uri;
+
+ if (HttpMethod.CONNECT.is(method))
+- _path=uri;
++ parse(State.HOST, uri, 0, uri.length());
+ else
+ parse(uri.startsWith("/")?State.PATH:State.START,uri,0,uri.length());
+ }
+@@ -720,17 +720,30 @@ public class HttpURI
+ */
+ public void setAuthority(String host, int port)
+ {
++ if (host != null && !isPathValidForAuthority(_path))
++ throw new IllegalArgumentException("Relative path with authority");
+ _host=host;
+ _port=port;
+ _uri=null;
+ }
+
++ private boolean isPathValidForAuthority(String path)
++ {
++ if (path == null)
++ return true;
++ if (path.isEmpty() || "*".equals(path))
++ return true;
++ return path.startsWith("/");
++ }
++
+ /* ------------------------------------------------------------ */
+ /**
+ * @param path the path
+ */
+ public void setPath(String path)
+ {
++ if (hasAuthority() && !isPathValidForAuthority(path))
++ throw new IllegalArgumentException("Relative path with authority");
+ _uri=null;
+ _path=path;
+ _decodedPath=null;
+@@ -739,6 +752,8 @@ public class HttpURI
+ /* ------------------------------------------------------------ */
+ public void setPathQuery(String path)
+ {
++ if (hasAuthority() && !isPathValidForAuthority(path))
++ throw new IllegalArgumentException("Relative path with authority");
+ _uri=null;
+ _path=null;
+ _decodedPath=null;
+@@ -747,7 +762,13 @@ public class HttpURI
+ if (path!=null)
+ parse(State.PATH,path,0,path.length());
+ }
+-
++
++ private boolean hasAuthority()
++ {
++ return _host != null;
++ }
++
++
+ /* ------------------------------------------------------------ */
+ public void setQuery(String query)
+ {
+diff --git a/jetty-http/src/test/java/org/eclipse/jetty/http/HttpURITest.java b/jetty-http/src/test/java/org/eclipse/jetty/http/HttpURITest.java
+index 63a58cf..6c3e65f 100644
+--- a/jetty-http/src/test/java/org/eclipse/jetty/http/HttpURITest.java
++++ b/jetty-http/src/test/java/org/eclipse/jetty/http/HttpURITest.java
+@@ -32,6 +32,15 @@ import java.nio.charset.StandardCharsets;
+ import org.eclipse.jetty.util.MultiMap;
+ import org.junit.jupiter.api.Test;
+
++import org.junit.jupiter.params.ParameterizedTest;
++import org.junit.jupiter.params.provider.Arguments;
++import org.junit.jupiter.params.provider.MethodSource;
++import static org.junit.jupiter.api.Assertions.assertEquals;
++import static org.junit.jupiter.api.Assertions.assertThrows;
++import static org.junit.jupiter.api.Assertions.assertTrue;
++import static org.junit.jupiter.api.Assertions.fail;
++import static org.junit.jupiter.api.Assumptions.assumeTrue;
++
+ public class HttpURITest
+ {
+ @Test
+@@ -100,6 +109,32 @@ public class HttpURITest
+ assertThat(uri.getPath(),is("/bar"));
+ }
+
++ @Test
++ public void testCONNECT()
++ {
++ HttpURI uri = new HttpURI();
++
++ uri.parseRequestTarget("CONNECT", "host:80");
++ assertThat(uri.getHost(), is("host"));
++ assertThat(uri.getPort(), is(80));
++ assertThat(uri.getPath(), nullValue());
++
++ uri.parseRequestTarget("CONNECT", "host");
++ assertThat(uri.getHost(), is("host"));
++ assertThat(uri.getPort(), is(-1));
++ assertThat(uri.getPath(), nullValue());
++
++ uri.parseRequestTarget("CONNECT", "192.168.0.1:8080");
++ assertThat(uri.getHost(), is("192.168.0.1"));
++ assertThat(uri.getPort(), is(8080));
++ assertThat(uri.getPath(), nullValue());
++
++ uri.parseRequestTarget("CONNECT", "[::1]:8080");
++ assertThat(uri.getHost(), is("[::1]"));
++ assertThat(uri.getPort(), is(8080));
++ assertThat(uri.getPath(), nullValue());
++ }
++
+ @Test
+ public void testExtB() throws Exception
+ {
+@@ -222,4 +257,64 @@ public class HttpURITest
+ assertEquals(uri.getAuthority(), "example.com:8888");
+ assertEquals(uri.getUser(), "user:password");
+ }
++
++ @Test
++ public void testRelativePathWithAuthority()
++ {
++ assertThrows(IllegalArgumentException.class, () ->
++ {
++ HttpURI httpURI = new HttpURI();
++ httpURI.setAuthority("host", 0);
++ httpURI.setPath("path");
++ });
++ assertThrows(IllegalArgumentException.class, () ->
++ {
++ HttpURI httpURI = new HttpURI();
++ httpURI.setAuthority("host", 8080);
++ httpURI.setPath(";p=v/url");
++ });
++ assertThrows(IllegalArgumentException.class, () ->
++ {
++ HttpURI httpURI = new HttpURI();
++ httpURI.setAuthority("host", 0);
++ httpURI.setPath(";");
++ });
++
++ assertThrows(IllegalArgumentException.class, () ->
++ {
++ HttpURI httpURI = new HttpURI();
++ httpURI.setPath("path");
++ httpURI.setAuthority("host", 0);
++ });
++ assertThrows(IllegalArgumentException.class, () ->
++ {
++ HttpURI httpURI = new HttpURI();
++ httpURI.setPath(";p=v/url");
++ httpURI.setAuthority("host", 8080);
++ });
++ assertThrows(IllegalArgumentException.class, () ->
++ {
++ HttpURI httpURI = new HttpURI();
++ httpURI.setPath(";");
++ httpURI.setAuthority("host", 0);
++ });
++
++ HttpURI uri = new HttpURI();
++ uri.setPath("*");
++ uri.setAuthority("host", 0);
++ assertEquals("//host*", uri.toString());
++ uri = new HttpURI();
++ uri.setAuthority("host", 0);
++ uri.setPath("*");
++ assertEquals("//host*", uri.toString());
++
++ uri = new HttpURI();
++ uri.setPath("");
++ uri.setAuthority("host", 0);
++ assertEquals("//host", uri.toString());
++ uri = new HttpURI();
++ uri.setAuthority("host", 0);
++ uri.setPath("");
++ assertEquals("//host", uri.toString());
++ }
+ }
+diff --git a/jetty-proxy/src/main/java/org/eclipse/jetty/proxy/ConnectHandler.java b/jetty-proxy/src/main/java/org/eclipse/jetty/proxy/ConnectHandler.java
+index 6b7d39e..d3dd5c8 100644
+--- a/jetty-proxy/src/main/java/org/eclipse/jetty/proxy/ConnectHandler.java
++++ b/jetty-proxy/src/main/java/org/eclipse/jetty/proxy/ConnectHandler.java
+@@ -197,7 +197,7 @@ public class ConnectHandler extends HandlerWrapper
+ {
+ if (HttpMethod.CONNECT.is(request.getMethod()))
+ {
+- String serverAddress = request.getRequestURI();
++ String serverAddress = baseRequest.getHttpURI().getAuthority();
+ if (LOG.isDebugEnabled())
+ LOG.debug("CONNECT request for {}", serverAddress);
+
+diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/Request.java b/jetty-server/src/main/java/org/eclipse/jetty/server/Request.java
+index b15bcc7..5b996bb 100644
+--- a/jetty-server/src/main/java/org/eclipse/jetty/server/Request.java
++++ b/jetty-server/src/main/java/org/eclipse/jetty/server/Request.java
+@@ -1778,9 +1778,19 @@ public class Request implements HttpServletRequest
+
+ setMethod(request.getMethod());
+ HttpURI uri = request.getURI();
+- _originalURI = uri.isAbsolute()&&request.getHttpVersion()!=HttpVersion.HTTP_2?uri.toString():uri.getPathQuery();
++ String encoded;
++ if (HttpMethod.CONNECT.is(request.getMethod()))
++ {
++ _originalURI = uri.getAuthority();
++ encoded = "/";
++ }
++ else
++ {
++ _originalURI = uri.isAbsolute() && request.getHttpVersion() != HttpVersion.HTTP_2 ? uri.toString() : uri.getPathQuery();
++ encoded = uri.getPath();
++ }
++
+
+- String encoded = uri.getPath();
+ String path;
+ if (encoded==null)
+ {
+diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/HttpConnectionTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/HttpConnectionTest.java
+index 918a112..22391f7 100644
+--- a/jetty-server/src/test/java/org/eclipse/jetty/server/HttpConnectionTest.java
++++ b/jetty-server/src/test/java/org/eclipse/jetty/server/HttpConnectionTest.java
+@@ -365,7 +365,7 @@ public class HttpConnectionTest
+ public void testBadPathDotDotPath() throws Exception
+ {
+ String response=connector.getResponse("GET /ooops/../../path HTTP/1.0\r\nHost: localhost:80\r\n\n");
+- checkContains(response,0,"HTTP/1.1 400 Bad URI");
++ checkContains(response,0,"HTTP/1.1 400");
+ }
+
+ @Test
+@@ -380,28 +380,28 @@ public class HttpConnectionTest
+ public void testBadPathEncodedDotDotPath() throws Exception
+ {
+ String response=connector.getResponse("GET /ooops/%2e%2e/%2e%2e/path HTTP/1.0\r\nHost: localhost:80\r\n\n");
+- checkContains(response,0,"HTTP/1.1 400 Bad URI");
++ checkContains(response,0,"HTTP/1.1 400");
+ }
+
+ @Test
+ public void testBadDotDotPath() throws Exception
+ {
+ String response=connector.getResponse("GET ../path HTTP/1.0\r\nHost: localhost:80\r\n\n");
+- checkContains(response,0,"HTTP/1.1 400 Bad URI");
++ checkContains(response,0,"HTTP/1.1 400");
+ }
+
+ @Test
+ public void testBadSlashDotDotPath() throws Exception
+ {
+ String response=connector.getResponse("GET /../path HTTP/1.0\r\nHost: localhost:80\r\n\n");
+- checkContains(response,0,"HTTP/1.1 400 Bad URI");
++ checkContains(response,0,"HTTP/1.1 400");
+ }
+
+ @Test
+ public void testEncodedBadDotDotPath() throws Exception
+ {
+ String response=connector.getResponse("GET %2e%2e/path HTTP/1.0\r\nHost: localhost:80\r\n\n");
+- checkContains(response,0,"HTTP/1.1 400 Bad URI");
++ checkContains(response,0,"HTTP/1.1 400");
+ }
+
+ @Test
+@@ -1168,7 +1168,7 @@ public class HttpConnectionTest
+ "12345\r\n"+
+ "0;\r\n" +
+ "\r\n");
+- checkContains(response,offset,"HTTP/1.1 400 Bad Request");
++ checkContains(response,offset,"HTTP/1.1 400");
+ }
+ catch (Exception e)
+ {
=====================================
debian/patches/CVE-2022-2048.patch
=====================================
@@ -0,0 +1,47 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 17 Aug 2022 12:59:00 +0200
+Subject: CVE-2022-2048
+
+Origin: https://github.com/eclipse/jetty.project/issues/7935
+---
+ .../jetty/http2/server/HttpChannelOverHTTP2.java | 12 +-
+ .../org/eclipse/jetty/http2/server/BadURITest.java | 153 +++++++++++++++++++++
+ 2 files changed, 157 insertions(+), 8 deletions(-)
+ create mode 100644 jetty-http2/http2-server/src/test/java/org/eclipse/jetty/http2/server/BadURITest.java
+
+diff --git a/jetty-http2/http2-server/src/main/java/org/eclipse/jetty/http2/server/HttpChannelOverHTTP2.java b/jetty-http2/http2-server/src/main/java/org/eclipse/jetty/http2/server/HttpChannelOverHTTP2.java
+index 03b082e..3548497 100644
+--- a/jetty-http2/http2-server/src/main/java/org/eclipse/jetty/http2/server/HttpChannelOverHTTP2.java
++++ b/jetty-http2/http2-server/src/main/java/org/eclipse/jetty/http2/server/HttpChannelOverHTTP2.java
+@@ -143,13 +143,11 @@ public class HttpChannelOverHTTP2 extends HttpChannel implements Closeable, Writ
+ }
+ catch (BadMessageException x)
+ {
+- onBadMessage(x);
+- return null;
++ return () -> onBadMessage(x);
+ }
+ catch (Throwable x)
+ {
+- onBadMessage(new BadMessageException(HttpStatus.INTERNAL_SERVER_ERROR_500, null, x));
+- return null;
++ return () -> onBadMessage(new BadMessageException(HttpStatus.INTERNAL_SERVER_ERROR_500, null, x));
+ }
+ }
+
+@@ -175,13 +173,11 @@ public class HttpChannelOverHTTP2 extends HttpChannel implements Closeable, Writ
+ }
+ catch (BadMessageException x)
+ {
+- onBadMessage(x);
+- return null;
++ return () -> onBadMessage(x);
+ }
+ catch (Throwable x)
+ {
+- onBadMessage(new BadMessageException(HttpStatus.INTERNAL_SERVER_ERROR_500, null, x));
+- return null;
++ return () -> onBadMessage(new BadMessageException(HttpStatus.INTERNAL_SERVER_ERROR_500, null, x));
+ }
+ }
+
=====================================
debian/patches/series
=====================================
@@ -10,3 +10,5 @@ CVE-2021-28169.patch
CVE-2020-27216.patch
CVE-2020-27223.patch
CVE-2021-28165.patch
+CVE-2022-2047.patch
+CVE-2022-2048.patch
View it on GitLab: https://salsa.debian.org/java-team/jetty9/-/commit/7e49356f255035d7cbe9975a1bb8d6ace6b47a76
--
View it on GitLab: https://salsa.debian.org/java-team/jetty9/-/commit/7e49356f255035d7cbe9975a1bb8d6ace6b47a76
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20220821/ccf9a762/attachment.htm>
More information about the pkg-java-commits
mailing list