Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package jetty-minimal for openSUSE:Factory checked in at 2026-04-18 23:20:25 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/jetty-minimal (Old) and /work/SRC/openSUSE:Factory/.jetty-minimal.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jetty-minimal" Sat Apr 18 23:20:25 2026 rev:32 rq:1347974 version:9.4.58 Changes: -------- +++ only whitespace diff in changes, re-diffing jetty-http2.changes: same change --- /work/SRC/openSUSE:Factory/jetty-minimal/jetty-minimal.changes 2026-03-07 20:14:37.983539787 +0100 +++ /work/SRC/openSUSE:Factory/.jetty-minimal.new.11940/jetty-minimal.changes 2026-04-18 23:20:33.592820276 +0200 @@ -1,0 +2,18 @@ +Sat Apr 18 09:18:24 UTC 2026 - Fridrich Strba <[email protected]> + +- Added patch: + * jetty-CVE-2026-2332.patch + + backport of upstream patch fixing bsc#1262115 (CVE-2026-2332): + HTTP/1.1 parser vulnerable to request smuggling when chunk + extensions are used + +------------------------------------------------------------------- +Mon Apr 13 15:27:50 UTC 2026 - Fridrich Strba <[email protected]> + +- Enable the jetty-jaspi module +- Added patch: + * jetty-CVE-2026-5795.patch + + backport of upstream patch fixing bsc#1261997 (CVE-2026-5795): + JaspiAuthenticator broken access control + +------------------------------------------------------------------- +++ only whitespace diff in changes, re-diffing jetty-websocket.changes: same change New: ---- jetty-CVE-2026-2332.patch jetty-CVE-2026-5795.patch ----------(New B)---------- New:/work/SRC/openSUSE:Factory/.jetty-minimal.new.11940/jetty-minimal.changes-- Added patch: /work/SRC/openSUSE:Factory/.jetty-minimal.new.11940/jetty-minimal.changes: * jetty-CVE-2026-2332.patch /work/SRC/openSUSE:Factory/.jetty-minimal.new.11940/jetty-minimal.changes- + backport of upstream patch fixing bsc#1262115 (CVE-2026-2332): New:/work/SRC/openSUSE:Factory/.jetty-minimal.new.11940/jetty-minimal.changes-- Added patch: /work/SRC/openSUSE:Factory/.jetty-minimal.new.11940/jetty-minimal.changes: * jetty-CVE-2026-5795.patch /work/SRC/openSUSE:Factory/.jetty-minimal.new.11940/jetty-minimal.changes- + backport of upstream patch fixing bsc#1261997 (CVE-2026-5795): ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ jetty-alpn.spec ++++++ --- /var/tmp/diff_new_pack.A52IeZ/_old 2026-04-18 23:20:34.400853228 +0200 +++ /var/tmp/diff_new_pack.A52IeZ/_new 2026-04-18 23:20:34.404853391 +0200 @@ -1,7 +1,7 @@ # # spec file for package jetty-alpn # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # Copyright (c) 2000-2007, JPackage Project # # All modifications and additions to the file contributed by third parties jetty-http2.spec: same change ++++++ jetty-minimal.spec ++++++ --- /var/tmp/diff_new_pack.A52IeZ/_old 2026-04-18 23:20:34.480856491 +0200 +++ /var/tmp/diff_new_pack.A52IeZ/_new 2026-04-18 23:20:34.484856654 +0200 @@ -1,7 +1,7 @@ # # spec file for package jetty-minimal # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # Copyright (c) 2000-2007, JPackage Project # # All modifications and additions to the file contributed by third parties @@ -30,6 +30,8 @@ Source0: https://github.com/eclipse/%{base_name}.project/archive/%{base_name}-%{version}%{addver}.tar.gz#/%{src_name}.tar.gz Patch0: jetty-port-to-servlet-4.0.patch Patch1: jetty-CVE-2025-11143.patch +Patch2: jetty-CVE-2026-2332.patch +Patch3: jetty-CVE-2026-5795.patch BuildRequires: fdupes BuildRequires: java-devel >= 1.8 BuildRequires: maven-local @@ -42,6 +44,7 @@ BuildRequires: mvn(org.apache.maven.plugins:maven-dependency-plugin) BuildRequires: mvn(org.apache.maven.plugins:maven-shade-plugin) BuildRequires: mvn(org.apache.tomcat:tomcat-jasper) +BuildRequires: mvn(org.apache.tomcat:tomcat-jaspic-api) BuildRequires: mvn(org.codehaus.mojo:build-helper-maven-plugin) BuildRequires: mvn(org.eclipse.jetty.orbit:javax.mail.glassfish) BuildRequires: mvn(org.eclipse.jetty.toolchain:jetty-schemas) @@ -145,6 +148,13 @@ %description -n %{base_name}-jaas %{extdesc} %{summary}. +%package -n %{base_name}-jaspi +Summary: The jaspi module for Jetty +Group: Productivity/Networking/Web/Servers + +%description -n %{base_name}-jaspi +%{extdesc} %{summary}. + %package -n %{base_name}-jmx Summary: The jmx module for Jetty Group: Productivity/Networking/Web/Servers @@ -279,9 +289,7 @@ %{summary}. %prep -%setup -q -n %{src_name} -%patch -P 0 -p1 -%patch -P 1 -p1 +%autosetup -n %{src_name} -p1 find . -name "*.?ar" -exec rm {} \; find . -name "*.class" -exec rm {} \; @@ -376,6 +384,8 @@ %pom_change_dep org.apache.directory.api: :::test jetty-jaas +%pom_change_dep :javax.security.auth.message org.apache.tomcat:tomcat-jaspic-api jetty-jaspi + # the default location is not allowed by SELinux sed -i '/<SystemProperty name="jetty.state"/d' \ jetty-home/src/main/resources%{_sysconfdir}/jetty-started.xml @@ -393,7 +403,6 @@ %pom_disable_module jetty-maven-plugin %pom_disable_module jetty-jspc-maven-plugin %pom_disable_module jetty-spring -%pom_disable_module jetty-jaspi %pom_disable_module jetty-nosql %pom_disable_module tests %pom_disable_module examples @@ -476,6 +485,8 @@ %files -n %{base_name}-jaas -f .mfiles-jetty-jaas +%files -n %{base_name}-jaspi -f .mfiles-jetty-jaspi + %files -n %{base_name}-jndi -f .mfiles-jetty-jndi %files -n %{base_name}-jsp -f .mfiles-jetty-jsp ++++++ jetty-unixsocket.spec ++++++ --- /var/tmp/diff_new_pack.A52IeZ/_old 2026-04-18 23:20:34.520858122 +0200 +++ /var/tmp/diff_new_pack.A52IeZ/_new 2026-04-18 23:20:34.524858285 +0200 @@ -1,7 +1,7 @@ # # spec file for package jetty-unixsocket # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # Copyright (c) 2000-2007, JPackage Project # # All modifications and additions to the file contributed by third parties jetty-websocket.spec: same change ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.A52IeZ/_old 2026-04-18 23:20:34.612861874 +0200 +++ /var/tmp/diff_new_pack.A52IeZ/_new 2026-04-18 23:20:34.616862037 +0200 @@ -1,6 +1,6 @@ -mtime: 1772826880 -commit: 64bb734a4ee0ad81241daf40660ce4a9bf318a05b767e68f7be27498e1869cc1 +mtime: 1776535977 +commit: 1251b91605b3f263f620761ae8548b8111cc923a566002a01ba0241e6b37b8b8 url: https://src.opensuse.org/java-packages/jetty-minimal.git -revision: 64bb734a4ee0ad81241daf40660ce4a9bf318a05b767e68f7be27498e1869cc1 +revision: 1251b91605b3f263f620761ae8548b8111cc923a566002a01ba0241e6b37b8b8 projectscmsync: https://src.opensuse.org/java-packages/_ObsPrj ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-04-18 20:13:51.000000000 +0200 @@ -0,0 +1 @@ +.osc ++++++ jetty-CVE-2026-2332.patch ++++++ ++++ 2197 lines (skipped) ++++++ jetty-CVE-2026-5795.patch ++++++ --- a/jetty-jaspi/src/main/java/org/eclipse/jetty/security/jaspi/JaspiAuthenticator.java +++ b/jetty-jaspi/src/main/java/org/eclipse/jetty/security/jaspi/JaspiAuthenticator.java @@ -146,7 +146,21 @@ public class JaspiAuthenticator extends LoginAuthenticator ServerAuthContext authContext = _authConfig.getAuthContext(authContextId, _serviceSubject, _authProperties); Subject clientSubject = new Subject(); - AuthStatus authStatus = authContext.validateRequest(messageInfo, clientSubject, _serviceSubject); + AuthStatus authStatus; + CallerPrincipalCallback principalCallback; + GroupPrincipalCallback groupPrincipalCallback; + + try + { + _callbackHandler.clear(); + authStatus = authContext.validateRequest(messageInfo, clientSubject, _serviceSubject); + principalCallback = _callbackHandler.getThreadCallerPrincipalCallback(); + groupPrincipalCallback = _callbackHandler.getThreadGroupPrincipalCallback(); + } + finally + { + _callbackHandler.clear(); + } if (authStatus == AuthStatus.SEND_CONTINUE) return Authentication.SEND_CONTINUE; @@ -157,13 +171,12 @@ public class JaspiAuthenticator extends LoginAuthenticator { Set<UserIdentity> ids = clientSubject.getPrivateCredentials(UserIdentity.class); UserIdentity userIdentity; - if (ids.size() > 0) + if (!ids.isEmpty()) { userIdentity = ids.iterator().next(); } else { - CallerPrincipalCallback principalCallback = _callbackHandler.getThreadCallerPrincipalCallback(); if (principalCallback == null) { return Authentication.UNAUTHENTICATED; @@ -186,7 +199,6 @@ public class JaspiAuthenticator extends LoginAuthenticator return Authentication.UNAUTHENTICATED; } } - GroupPrincipalCallback groupPrincipalCallback = _callbackHandler.getThreadGroupPrincipalCallback(); String[] groups = groupPrincipalCallback == null ? null : groupPrincipalCallback.getGroups(); userIdentity = _identityService.newUserIdentity(clientSubject, principal, groups); } --- a/jetty-jaspi/src/main/java/org/eclipse/jetty/security/jaspi/ServletCallbackHandler.java +++ b/jetty-jaspi/src/main/java/org/eclipse/jetty/security/jaspi/ServletCallbackHandler.java @@ -136,4 +136,10 @@ public class ServletCallbackHandler implements CallbackHandler _groupPrincipals.set(null); return groupPrincipalCallback; } + + public void clear() + { + _callerPrincipals.remove(); + _groupPrincipals.remove(); + } }
