jetty9_9.4.16-0+deb10u1_source.changes ACCEPTED into proposed-updates->stable-new, proposed-updates

Debian FTP Masters ftpmaster at ftp-master.debian.org
Thu Aug 5 20:52:56 BST 2021 


Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 01 Aug 2021 13:52:06 +0200
Source: jetty9
Architecture: source
Version: 9.4.16-0+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
Changed-By: Markus Koschany <apo at debian.org>
Changes:
 jetty9 (9.4.16-0+deb10u1) buster-security; urgency=high
 .
   * Team upload.
   * New upstream version 9.4.16.
     - Fix CVE-2019-10241:
       The server is vulnerable to XSS conditions if a remote client USES a
       specially formatted URL against the DefaultServlet or ResourceHandler that
       is configured for showing a Listing of directory contents.
     - Fix CVE-2019-10247:
       The server running on any OS and Jetty version combination will reveal
       the configured fully qualified directory base resource location on the
       output of the 404 error for not finding a Context that matches the
       requested path. The default server behavior on jetty-distribution and
       jetty-home will include at the end of the Handler tree a DefaultHandler,
       which is responsible for reporting this 404 error, it presents the
       various configured contexts as HTML for users to click through to. This
       produced HTML includes output that contains the configured fully
       qualified directory base resource location for each context.
   * Fix CVE-2020-27216:
     On Unix like systems, the system's temporary directory is shared between
     all users on that system. A collocated user can observe the process of
     creating a temporary sub directory in the shared temporary directory and
     race to complete the creation of the temporary subdirectory. If the
     attacker wins the race then they will have read and write permission to the
     subdirectory used to unpack web applications, including their WEB-INF/lib
     jar files and JSP files. If any code is ever executed out of this temporary
     directory, this can lead to a local privilege escalation vulnerability.
   * Fix CVE-2020-27223:
     Jetty handles a request containing multiple Accept headers with a large
     number of “quality” (i.e. q) parameters, the server may enter a denial of
     service (DoS) state due to high CPU usage processing those quality values,
     resulting in minutes of CPU time exhausted processing those quality values.
   * Fix CVE-2020-28165:
     CPU usage can reach 100% upon receiving a large invalid TLS frame.
   * Fix CVE-2020-28169:
     It is possible for requests to the ConcatServlet with a doubly encoded path
     to access protected resources within the WEB-INF directory. For example a
     request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file.
     This can reveal sensitive information regarding the implementation of a web
     application.
   * Fix CVE-2021-34428:
     If an exception is thrown from the SessionListener#sessionDestroyed()
     method, then the session ID is not invalidated in the session ID manager.
     On deployments with clustered sessions and multiple contexts this can
     result in a session not being invalidated. This can result in an
     application used on a shared computer being left logged in.
Checksums-Sha1:
 5499963e5826e26b032777d47f4e12745a5423a2 2776 jetty9_9.4.16-0+deb10u1.dsc
 a06c77c3ed0cedfd4817a59fb6d7b1660a635666 18894200 jetty9_9.4.16.orig.tar.gz
 0661420144f977eaa1a12ce6afd542dd2dd09fe0 47900 jetty9_9.4.16-0+deb10u1.debian.tar.xz
 cea03faa72491e2e3e2e60d81b5c1b0f81addcd6 17615 jetty9_9.4.16-0+deb10u1_amd64.buildinfo
Checksums-Sha256:
 befbc99daa908a9a8d9d9115765cf9997c25de138f63e5348884f0506d0f2fd7 2776 jetty9_9.4.16-0+deb10u1.dsc
 919296a15fea935ec2b499cb1f84bb0e48ec4418b96b0e8c993fb06c9036a157 18894200 jetty9_9.4.16.orig.tar.gz
 d8a7b763832904571e117be737e6314194c5c7c1ab86143bde1f77139f3e5fac 47900 jetty9_9.4.16-0+deb10u1.debian.tar.xz
 1c7f903b969de635524f0b802d4a8aceceac077b2da91b0e7c0136c7fc7c413e 17615 jetty9_9.4.16-0+deb10u1_amd64.buildinfo
Files:
 92df2f5ead584eabf0be501191007528 2776 java optional jetty9_9.4.16-0+deb10u1.dsc
 6ccafa22ffcd70e9a0bff9eff77441d5 18894200 java optional jetty9_9.4.16.orig.tar.gz
 55ed1ee1866b1955ba4bbf6ce6b60278 47900 java optional jetty9_9.4.16-0+deb10u1.debian.tar.xz
 2ef0532cd7a8a69018518cd7d87ab2bf 17615 java optional jetty9_9.4.16-0+deb10u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmEGjX1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkBoYQAKfc3smoX/+1OrS/ioSCb/FHT8wQRJUGtWvh
2svyU99EVtzu3CJpOWxJH2l6khPcfEUASMEL/zFQLtT8VBUdlgA+nPSJqXbel7bn
ZLo8XWEcEC+jtGqCNhzwn0w6JeJQbVyArul/iWbl8ochGSC426DZMfj3k9dVg8vY
tmlpWfZVzqoXTAOctES+x3ZNPe6seeATlQrgPr1avIsD1lgXyglq52zle14LnzGZ
tBT5+BvmLIZp7A25ESjvjkWrcegfKM1NhFIuGjeHoc9+bOcgpUVZ2GAEWeEbYm2b
9MXaQFe0liJukg16kaRang3bUdQK3tGI2ddCOZm/NJnK3dTL+qYLIiXSTPSMnnAB
80tDVszu2HUni93nuOUaWKdBvQGwZUUzhXdiyyhAiryMLA0d8nSF7RS7f0LKx7zI
5uW3aFLtZPTqdBwnBHqpnc92dWSJ3oOevHN+JnD/IvXA87q8FIZEOlDPOsYYlqh5
FyVhrBxq4PE/KdVlF7dHskNQwYXMXuRkmjqh15SOF+qFOgwLRO8gt0io4YuFpWeC
85sfzWbanoS3SdjEqZmIyZX0WQ2NeVfd+wL5Nu5VBxPfQd3n5JoJWgi8Y6JLckLB
gyPbLFQy2IG8lNaEGiL8sgf49HBZ7Ky1PloioiZETNuTUOELiJaRS4kqhCVxmFgo
QQ/k7HRx
=wnHB
-----END PGP SIGNATURE-----


Thank you for your contribution to Debian.

More information about the pkg-java-maintainers mailing list