Bug#928444: jetty9: CVE-2019-10241 CVE-2019-10247

[Salvatore Bonaccorso]

Source: jetty9
Version: 9.4.15-1
Severity: important
Tags: security upstream fixed-upstream

Hi,

The following vulnerabilities were published for jetty9. Although they
are distinct issues, and one is adressed in 9.4.16 and the other in
4.9.17 I still opted to fill one single bug, assuming the next update
will move to at least 9.4.17.

CVE-2019-10241[0]:
| In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and
| 9.4.15 and older, the server is vulnerable to XSS conditions if a
| remote client USES a specially formatted URL against the
| DefaultServlet or ResourceHandler that is configured for showing a
| Listing of directory contents.


CVE-2019-10247[1]:
| In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older,
| and 9.4.16 and older, the server running on any OS and Jetty version
| combination will reveal the configured fully qualified directory base
| resource location on the output of the 404 error for not finding a
| Context that matches the requested path. The default server behavior
| on jetty-distribution and jetty-home will include at the end of the
| Handler tree a DefaultHandler, which is responsible for reporting this
| 404 error, it presents the various configured contexts as HTML for
| users to click through to. This produced HTML includes output that
| contains the configured fully qualified directory base resource
| location for each context.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-10241
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241
    https://bugs.eclipse.org/bugs/show_bug.cgi?id=546121
[1] https://security-tracker.debian.org/tracker/CVE-2019-10247
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247
    https://bugs.eclipse.org/bugs/show_bug.cgi?id=546577

Regards,
Salvatore