1. Forum
  2. Usenet
  3. LINUX.DEBIAN.CHANGES

  • Accepted jetty9 9.4.16-0+deb10u1 (source) into proposed-updates->stable

    From Debian FTP Masters@21:1/5 to All on Thu Aug 5 22:00:01 2021
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    Format: 1.8
    Date: Sun, 01 Aug 2021 13:52:06 +0200
    Source: jetty9
    Architecture: source
    Version: 9.4.16-0+deb10u1
    Distribution: buster-security
    Urgency: high
    Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
    Changed-By: Markus Koschany <apo@debian.org>
    Changes:
    jetty9 (9.4.16-0+deb10u1) buster-security; urgency=high
    .
    * Team upload.
    * New upstream version 9.4.16.
    - Fix CVE-2019-10241:
    The server is vulnerable to XSS conditions if a remote client USES a
    specially formatted URL against the DefaultServlet or ResourceHandler that
    is configured for showing a Listing of directory contents.
    - Fix CVE-2019-10247:
    The server running on any OS and Jetty version combination will reveal
    the configured fully qualified directory base resource location on the
    output of the 404 error for not finding a Context that matches the
    requested path. The default server behavior on jetty-distribution and
    jetty-home will include at the end of the Handler tree a DefaultHandler,
    which is responsible for reporting this 404 error, it presents the
    various configured contexts as HTML for users to click through to. This
    produced HTML includes output that contains the configured fully
    qualified directory base resource location for each context.
    * Fix CVE-2020-27216:
    On Unix like systems, the system's temporary directory is shared between
    all users on that system. A collocated user can observe the process of
    creating a temporary sub directory in the shared temporary directory and
    race to complete the creation of the temporary subdirectory. If the
    attacker wins the race then they will have read and write permission to the
    subdirectory used to unpack web applications, including their WEB-INF/lib
    jar files and JSP files. If any code is ever executed out of this temporary
    directory, this can lead to a local privilege escalation vulnerability.
    * Fix CVE-2020-27223:
    Jetty handles a request containing multiple Accept headers with a large
    number of “quality” (i.e. q) parameters, the server may enter a denial of
    service (DoS) state due to high CPU usage processing those quality values,
    resulting in minutes of CPU time exhausted processing those quality values.
    * Fix CVE-2020-28165:
    CPU usage can reach 100% upon receiving a large invalid TLS frame.
    * Fix CVE-2020-28169:
    It is possible for requests to the ConcatServlet with a doubly encoded path
    to access protected resources within the WEB-INF directory. For example a
    request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file.
    This can reveal sensitive information regarding the implementation of a web
    application.
    * Fix CVE-2021-34428:
    If an exception is thrown from the SessionListener#sessionDestroyed()
    method, then the session ID is not invalidated in the session ID manager.
    On deployments with clustered sessions and multiple contexts this can
    result in a session not being invalidated. This can result in an
    application used on a shared computer being left logged in. Checksums-Sha1:
    5499963e5826e26b032777d47f4e12745a5423a2 2776 jetty9_9.4.16-0+deb10u1.dsc
    a06c77c3ed0cedfd4817a59fb6d7b1660a635666 18894200 jetty9_9.4.16.orig.tar.gz
    0661420144f977eaa1a12ce6afd542dd2dd09fe0 47900 jetty9_9.4.16-0+deb10u1.debian.tar.xz
    cea03faa72491e2e3e2e60d81b5c1b0f81addcd6 17615 jetty9_9.4.16-0+deb10u1_amd64.buildinfo
    Checksums-Sha256:
    befbc99daa908a9a8d9d9115765cf9997c25de138f63e5348884f0506d0f2fd7 2776 jetty9_9.4.16-0+deb10u1.dsc
    919296a15fea935ec2b499cb1f84bb0e48ec4418b96b0e8c993fb06c9036a157 18894200 jetty9_9.4.16.orig.tar.gz
    d8a7b763832904571e117be737e6314194c5c7c1ab86143bde1f77139f3e5fac 47900 jetty9_9.4.16-0+deb10u1.debian.tar.xz
    1c7f903b969de635524f0b802d4a8aceceac077b2da91b0e7c0136c7fc7c413e 17615 jetty9_9.4.16-0+deb10u1_amd64.buildinfo
    Files:
    92df2f5ead584eabf0be501191007528 2776 java optional jetty9_9.4.16-0+deb10u1.dsc
    6ccafa22ffcd70e9a0bff9eff77441d5 18894200 java optional jetty9_9.4.16.orig.tar.gz
    55ed1ee1866b1955ba4bbf6ce6b60278 47900 java optional jetty9_9.4.16-0+deb10u1.debian.tar.xz
    2ef0532cd7a8a69018518cd7d87ab2bf 17615 java optional jetty9_9.4.16-0+deb10u1_amd64.buildinfo

    -----BEGIN PGP SIGNATURE-----

    iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmEGjX1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkBoYQAKfc3smoX/+1OrS/ioSCb/FHT8wQRJUGtWvh 2svyU99EVtzu3CJpOWxJH2l6khPcfEUASMEL/zFQLtT8VBUdlgA+nPSJqXbel7bn ZLo8XWEcEC+jtGqCNhzwn0w6JeJQbVyArul/iWbl8ochGSC426DZMfj3k9dVg8vY tmlpWfZVzqoXTAOctES+x3ZNPe6seeATlQrgPr1avIsD1lgXyglq52zle14LnzGZ tBT5+BvmLIZp7A25ESjvjkWrcegfKM1NhFIuGjeHoc9+bOcgpUVZ2GAEWeEbYm2b 9MXaQFe0liJukg16kaRang3bUdQK3tGI2ddCOZm/NJnK3dTL+qYLIiXSTPSMnnAB 80tDVszu2HUni93nuOUaWKdBvQGwZUUzhXdiyyhAiryMLA0d8nSF7RS7f0LKx7zI 5uW3aFLtZPTqdBwnBHqpnc92dWSJ3oOevHN+JnD/IvXA87q8FIZEOlDPOsYYlqh5 FyVhrBxq4PE/KdVlF7dHskNQwYXMXuRkmjqh15SOF+qFOgwLRO8gt0io4YuFpWeC 85sfzWbanoS3SdjEqZmIyZX0WQ2NeVfd+wL5Nu5VBxPfQd3n5JoJWgi8Y6JLckLB gyPbLFQy2IG8lNaEGiL8sgf49HBZ7Ky1PloioiZETNuTUOELiJaRS4kqhCVxmFgo
    QQ/k7HRx
    =wnHB
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)