[Git][java-team/jetty9][bullseye] 12 commits: New upstream version 9.4.40

Markus Koschany (@apo) gitlab at salsa.debian.org
Mon Oct 30 16:31:49 GMT 2023 


Markus Koschany pushed to branch bullseye at Debian Java Maintainers / jetty9


Commits:
8ff9b299 by Emmanuel Bourg at 2021-10-18T10:26:37+02:00
New upstream version 9.4.40
- - - - -
348c44a3 by Emmanuel Bourg at 2021-10-18T10:27:32+02:00
New upstream version 9.4.41
- - - - -
d63be05d by Emmanuel Bourg at 2021-10-18T10:28:25+02:00
New upstream version 9.4.42
- - - - -
2812d7f1 by Emmanuel Bourg at 2021-10-18T10:29:06+02:00
New upstream version 9.4.43
- - - - -
ff45b723 by Emmanuel Bourg at 2021-10-18T10:29:34+02:00
New upstream version 9.4.44
- - - - -
68c3a969 by Markus Koschany at 2022-02-11T10:53:57+01:00
New upstream version 9.4.45
- - - - -
e6071ff4 by Markus Koschany at 2022-02-11T11:19:54+01:00
New upstream version 9.4.45
- - - - -
ace796c1 by Emmanuel Bourg at 2022-05-02T18:34:10+02:00
New upstream version 9.4.46
- - - - -
006797f4 by Markus Koschany at 2022-07-18T13:25:59+02:00
New upstream version 9.4.48
- - - - -
b614d144 by Markus Koschany at 2022-09-22T23:40:01+02:00
New upstream version 9.4.49
- - - - -
a6be8216 by Emmanuel Bourg at 2022-11-27T22:36:01+01:00
New upstream version 9.4.50
- - - - -
038b6bc7 by Markus Koschany at 2023-10-30T17:31:26+01:00
Import Debian changes 9.4.50-4+deb11u1

jetty9 (9.4.50-4+deb11u1) bullseye-security; urgency=high
.
  * Team upload.
  * Backport Jetty 9 version from Bookworm.
  * Fix CVE-2023-36478 and CVE-2023-44487:
    Two remotely exploitable security vulnerabilities were discovered in Jetty
    9, a Java based web server and servlet engine. The HTTP/2 protocol
    implementation did not sufficiently verify if HPACK header values exceed
    their size limit. Furthermore the HTTP/2 protocol allowed a denial of
    service (server resource consumption) because request cancellation can
    reset many streams quickly. This problem is also known as Rapid Reset
    Attack.
.
jetty9 (9.4.50-4+deb12u1) bookworm-security; urgency=high
.
  * Team upload.
  * The org.eclipse.jetty.servlets.CGI has been deprecated. It is potentially
    unsafe to use it. The upstream developers of Jetty recommend to use Fast CGI
    instead. See also CVE-2023-36479.
  * Fix CVE-2023-26048:
    Jetty is a java based web server and servlet engine. In affected versions
    servlets with multipart support (e.g. annotated with `@MultipartConfig`)
    that call `HttpServletRequest.getParameter()` or
    `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the
    client sends a multipart request with a part that has a name but no
    filename and very large content. This happens even with the default
    settings of `fileSizeThreshold=0` which should stream the whole part
    content to disk.
  * Fix CVE-2023-26049:
    Nonstandard cookie parsing in Jetty may allow an attacker to smuggle
    cookies within other cookies, or otherwise perform unintended behavior by
    tampering with the cookie parsing mechanism.
  * Fix CVE-2023-40167:
    Prior to this version Jetty accepted the `+` character proceeding the
    content-length value in a HTTP/1 header field. This is more permissive than
    allowed by the RFC and other servers routinely reject such requests with
    400 responses. There is no known exploit scenario, but it is conceivable
    that request smuggling could result if jetty is used in combination with a
    server that does not close the connection after sending such a 400
    response.
  * CVE-2023-36479:
    Users of the CgiServlet with a very specific command structure may have the
    wrong command executed. If a user sends a request to a
    org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its
    name, the servlet will escape the command by wrapping it in quotation
    marks. This wrapped command, plus an optional command prefix, will then be
    executed through a call to Runtime.exec. If the original binary name
    provided by the user contains a quotation mark followed by a space, the
    resulting command line will contain multiple tokens instead of one.
  * Fix CVE-2023-41900:
    Jetty is vulnerable to weak authentication. If a Jetty
    `OpenIdAuthenticator` uses the optional nested `LoginService`, and that
    `LoginService` decides to revoke an already authenticated user, then the
    current request will still treat the user as authenticated. The
    authentication is then cleared from the session and subsequent requests
    will not be treated as authenticated. So a request on a previously
    authenticated session could be allowed to bypass authentication after it
    had been rejected by the `LoginService`. This impacts usages of the
    jetty-openid which have configured a nested `LoginService` and where that
    `LoginService` is capable of rejecting previously authenticated users.
.
jetty9 (9.4.50-4) unstable; urgency=medium
.
  * Team upload.
  * Revert the switch to libtomcat10-java. For now Jetty 9 only works correctly
    with libtomcat9-java. (Closes: #1036798)
.
jetty9 (9.4.50-3) unstable; urgency=medium
.
  * Team upload.
  * Depend on libtomcat10-java instead of libtomcat9-java.
  * Add tomcat10-migration.patch.
  * Ignore jetty-jaspi module because it does not work with Tomcat 10 yet.
.
jetty9 (9.4.50-2) unstable; urgency=medium
.
  * Depend on libeclipse-jdt-core-java instead of libecj-java
  * Standards-Version updated to 4.6.2
.
jetty9 (9.4.50-1) unstable; urgency=medium
.
  * New upstream release
    - Refreshed the patches
.
jetty9 (9.4.49-1) unstable; urgency=medium
.
  * Team upload.
  * New upstream version 9.4.49.
.
jetty9 (9.4.48-1) unstable; urgency=high
.
  * Team upload.
  * New upstream version 9.4.48.
    - Fix CVE-2022-2048 and CVE-2022-2047.
.
jetty9 (9.4.46-1) unstable; urgency=medium
.
  * New upstream release
    - Refreshed the patches
.
jetty9 (9.4.45-1) unstable; urgency=medium
.
  * Team upload.
  * New upstream version 9.4.45.
  * Remove haproxy binary file from the sources.
.
jetty9 (9.4.44-4) unstable; urgency=medium
.
  * Team upload.
  * Add servlet-api.patch and correct the API version in jetty-home/pom.xml.
    This used to work because libservlet3.1-java was pulled in as a transitive
    dependency. (Closes: #1002274)
.
jetty9 (9.4.44-3) unstable; urgency=medium
.
  * Team upload.
  * Ignore junit-bom artifact of scope import.
    The junit-bom dependency caused several FTBFS because of
    reverse-dependencies that did not depend on junit5.
.
jetty9 (9.4.44-2) unstable; urgency=medium
.
  * Team upload.
  * Update README.Debian and clarify how to override systemd security features.
    (Closes: #994440)
  * Replace deprecated configuration options in start.ini.
    Thanks to Martin van Es for the report. (Closes: #994441)
.
jetty9 (9.4.44-1) unstable; urgency=medium
.
  * New upstream release
    - Refreshed the patches
    - Updated the Maven rules
  * Depend on libservlet-api-java instead of libservlet3.1-java
  * No longer remove the jetty user/group when purging the package
  * Standards-Version updated to 4.6.0.1
  * Switch to debhelper level 13

- - - - -


30 changed files:

- .github/ISSUE_TEMPLATE/issue-template.md
- .github/dependabot.yml
- Jenkinsfile
- VERSION.txt
- aggregates/jetty-all-compact3/pom.xml
- aggregates/jetty-all/pom.xml
- apache-jsp/pom.xml
- apache-jsp/src/main/java/org/eclipse/jetty/apache/jsp/JettyJasperInitializer.java
- apache-jsp/src/main/java/org/eclipse/jetty/apache/jsp/JettyTldPreScanned.java
- apache-jsp/src/main/java/org/eclipse/jetty/apache/jsp/JuliLog.java
- apache-jsp/src/main/java/org/eclipse/jetty/jsp/JettyJspServlet.java
- apache-jsp/src/test/java/org/eclipse/jetty/jsp/TestJettyJspServlet.java
- apache-jsp/src/test/java/org/eclipse/jetty/jsp/TestJettyTldPreScanned.java
- apache-jsp/src/test/java/org/eclipse/jetty/jsp/TestJspFileNameToClass.java
- apache-jstl/pom.xml
- apache-jstl/src/test/java/org/eclipse/jetty/jstl/JspConfig.java
- apache-jstl/src/test/java/org/eclipse/jetty/jstl/JspIncludeTest.java
- apache-jstl/src/test/java/org/eclipse/jetty/jstl/JstlTest.java
- build-resources/pom.xml
- debian/README.Debian
- debian/changelog
- debian/control
- debian/copyright
- debian/jetty9.dirs
- debian/jetty9.links
- debian/jetty9.postrm
- debian/maven.ignoreRules
- debian/maven.rules
- debian/patches/01-maven-bundle-plugin-version.patch
- debian/patches/02-import-alpn-api.patch


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/java-team/jetty9/-/compare/8648cca8e0b426be8e0381e8e1204dd93cfbb52a...038b6bc7fdcb5ae3cbb7715a77a560e2e9fa5baa

-- 
View it on GitLab: https://salsa.debian.org/java-team/jetty9/-/compare/8648cca8e0b426be8e0381e8e1204dd93cfbb52a...038b6bc7fdcb5ae3cbb7715a77a560e2e9fa5baa
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20231030/4e0c1b58/attachment.htm>

More information about the pkg-java-commits mailing list