[Git][java-team/jetty9][buster] Import Debian changes 9.4.50-4+deb10u2
Markus Koschany (@apo)
gitlab at salsa.debian.org
Sat Apr 6 21:15:10 BST 2024
Markus Koschany pushed to branch buster at Debian Java Maintainers / jetty9
Commits:
4b51f04b by Markus Koschany at 2024-04-06T22:14:42+02:00
Import Debian changes 9.4.50-4+deb10u2
jetty9 (9.4.50-4+deb10u2) buster-security; urgency=high
.
* Team upload.
* Fix CVE-2024-22201:
It was discovered that remote attackers may leave many HTTP/2 connections
in ESTABLISHED state (not closed), TCP congested and idle. Eventually the
server will stop accepting new connections from valid clients which can
cause a denial of service.
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/CVE-2024-22201.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,14 @@
+jetty9 (9.4.50-4+deb10u2) buster-security; urgency=high
+
+ * Team upload.
+ * Fix CVE-2024-22201:
+ It was discovered that remote attackers may leave many HTTP/2 connections
+ in ESTABLISHED state (not closed), TCP congested and idle. Eventually the
+ server will stop accepting new connections from valid clients which can
+ cause a denial of service.
+
+ -- Markus Koschany <apo at debian.org> Sat, 06 Apr 2024 12:41:45 +0200
+
jetty9 (9.4.50-4+deb10u1) buster-security; urgency=high
* Team upload.
=====================================
debian/patches/CVE-2024-22201.patch
=====================================
@@ -0,0 +1,138 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 20 Mar 2024 09:28:22 +0100
+Subject: CVE-2024-22201
+
+Origin: https://github.com/jetty/jetty.project/commit/86586df0a8a4d9c6b5af9a621ad1adf1b494d39b
+Bug-Debian: https://bugs.debian.org/1064923
+---
+ .../jetty/http2/client/IdleTimeoutTest.java | 56 ++++++++++++++++++++++
+ .../java/org/eclipse/jetty/http2/HTTP2Session.java | 14 +++++-
+ 2 files changed, 69 insertions(+), 1 deletion(-)
+
+diff --git a/jetty-http2/http2-client/src/test/java/org/eclipse/jetty/http2/client/IdleTimeoutTest.java b/jetty-http2/http2-client/src/test/java/org/eclipse/jetty/http2/client/IdleTimeoutTest.java
+index 3871b32..5e65cbb 100644
+--- a/jetty-http2/http2-client/src/test/java/org/eclipse/jetty/http2/client/IdleTimeoutTest.java
++++ b/jetty-http2/http2-client/src/test/java/org/eclipse/jetty/http2/client/IdleTimeoutTest.java
+@@ -19,7 +19,11 @@
+ package org.eclipse.jetty.http2.client;
+
+ import java.io.IOException;
++import java.net.InetSocketAddress;
+ import java.nio.ByteBuffer;
++import java.nio.channels.SelectionKey;
++import java.nio.channels.SocketChannel;
++import java.time.Duration;
+ import java.util.concurrent.CountDownLatch;
+ import java.util.concurrent.TimeUnit;
+ import java.util.concurrent.TimeoutException;
+@@ -43,7 +47,10 @@ import org.eclipse.jetty.http2.frames.DataFrame;
+ import org.eclipse.jetty.http2.frames.GoAwayFrame;
+ import org.eclipse.jetty.http2.frames.HeadersFrame;
+ import org.eclipse.jetty.http2.frames.ResetFrame;
++import org.eclipse.jetty.http2.server.HTTP2CServerConnectionFactory;
+ import org.eclipse.jetty.http2.server.HTTP2ServerConnectionFactory;
++import org.eclipse.jetty.io.ManagedSelector;
++import org.eclipse.jetty.io.SocketChannelEndPoint;
+ import org.eclipse.jetty.server.HttpConfiguration;
+ import org.eclipse.jetty.server.Server;
+ import org.eclipse.jetty.server.ServerConnector;
+@@ -57,7 +64,9 @@ import org.eclipse.jetty.util.thread.QueuedThreadPool;
+ import org.hamcrest.Matchers;
+ import org.junit.jupiter.api.Test;
+
++import static org.awaitility.Awaitility.await;
+ import static org.hamcrest.MatcherAssert.assertThat;
++import static org.hamcrest.Matchers.is;
+ import static org.junit.jupiter.api.Assertions.assertEquals;
+ import static org.junit.jupiter.api.Assertions.assertFalse;
+ import static org.junit.jupiter.api.Assertions.assertTrue;
+@@ -681,6 +690,53 @@ public class IdleTimeoutTest extends AbstractTest
+ assertThat(((ISession)client).updateSendWindow(0), Matchers.greaterThan(0));
+ }
+
++ @Test
++ public void testIdleTimeoutWhenCongested() throws Exception
++ {
++ long idleTimeout = 1000;
++ HTTP2CServerConnectionFactory h2c = new HTTP2CServerConnectionFactory(new HttpConfiguration());
++ prepareServer(h2c);
++ server.removeConnector(connector);
++ connector = new ServerConnector(server, 1, 1, h2c)
++ {
++ @Override
++ protected SocketChannelEndPoint newEndPoint(SocketChannel channel, ManagedSelector selectSet, SelectionKey key)
++ {
++ SocketChannelEndPoint endpoint = new SocketChannelEndPoint(channel, selectSet, key, getScheduler())
++ {
++ @Override
++ public boolean flush(ByteBuffer... buffers)
++ {
++ // Fake TCP congestion.
++ return false;
++ }
++
++ @Override
++ protected void onIncompleteFlush()
++ {
++ // Do nothing here to avoid spin loop,
++ // since the network is actually writable,
++ // as we are only faking TCP congestion.
++ }
++ };
++ endpoint.setIdleTimeout(getIdleTimeout());
++ return endpoint;
++ }
++ };
++ connector.setIdleTimeout(idleTimeout);
++ server.addConnector(connector);
++ server.start();
++
++ prepareClient();
++ client.start();
++
++ InetSocketAddress address = new InetSocketAddress("localhost", connector.getLocalPort());
++ // The connect() will complete exceptionally.
++ client.connect(address, new Session.Listener.Adapter(), new Promise.Completable<>());
++
++ await().atMost(Duration.ofMillis(5 * idleTimeout)).until(() -> connector.getConnectedEndPoints().size(), is(0));
++ }
++
+ private void sleep(long value)
+ {
+ try
+diff --git a/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/HTTP2Session.java b/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/HTTP2Session.java
+index a1c5ace..bfbc02b 100644
+--- a/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/HTTP2Session.java
++++ b/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/HTTP2Session.java
+@@ -1824,6 +1824,7 @@ public abstract class HTTP2Session extends ContainerLifeCycle implements ISessio
+ {
+ String reason = "idle_timeout";
+ boolean notify = false;
++ boolean terminate = false;
+ boolean sendGoAway = false;
+ GoAwayFrame goAwayFrame = null;
+ Throwable cause = null;
+@@ -1867,11 +1868,22 @@ public abstract class HTTP2Session extends ContainerLifeCycle implements ISessio
+ {
+ if (LOG.isDebugEnabled())
+ LOG.debug("Already closed, ignored idle timeout for {}", HTTP2Session.this);
+- return false;
++ // Writes may be TCP congested, so termination never happened.
++ terminate = true;
++ goAwayFrame = goAwaySent;
++ if (goAwayFrame == null)
++ goAwayFrame = goAwayRecv;
++ break;
+ }
+ }
+ }
+
++ if (terminate)
++ {
++ terminate(goAwayFrame);
++ return false;
++ }
++
+ if (notify)
+ {
+ boolean confirmed = notifyIdleTimeout(HTTP2Session.this);
=====================================
debian/patches/series
=====================================
@@ -12,3 +12,4 @@ CVE-2023-41900.patch
CVE-2023-36479.patch
CVE-2023-44487.patch
CVE-2023-36478.patch
+CVE-2024-22201.patch
View it on GitLab: https://salsa.debian.org/java-team/jetty9/-/commit/4b51f04b911abd7d2c2fbe79cf71067d07fb26e4
--
View it on GitLab: https://salsa.debian.org/java-team/jetty9/-/commit/4b51f04b911abd7d2c2fbe79cf71067d07fb26e4
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20240406/b8143ef1/attachment.htm>
More information about the pkg-java-commits
mailing list