Your message dated Sat, 03 Jul 2021 17:33:33 +0000
with message-id <[email protected]>
and subject line Bug#989999: fixed in jetty9 9.4.39-2
has caused the Debian Bug report #989999,
regarding jetty9: CVE-2021-28169
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
989999: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989999
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jetty9
Version: 9.4.39-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/eclipse/jetty.project/issues/6263
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for jetty9.
CVE-2021-28169[0]:
| For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2,
| it is possible for requests to the ConcatServlet with a doubly encoded
| path to access protected resources within the WEB-INF directory. For
| example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the
| web.xml file. This can reveal sensitive information regarding the
| implementation of a web application.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-28169
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28169
[1]
https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq
[2] https://github.com/eclipse/jetty.project/issues/6263
[3]
https://github.com/eclipse/jetty.project/commit/1c05b0bcb181c759e98b060bded0b9376976b055
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: jetty9
Source-Version: 9.4.39-2
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
jetty9, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated jetty9 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 03 Jul 2021 19:09:58 +0200
Source: jetty9
Architecture: source
Version: 9.4.39-2
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 989999 990578
Changes:
jetty9 (9.4.39-2) unstable; urgency=high
.
* Team upload.
* Fix CVE-2021-28169:
It is possible for requests to the ConcatServlet with a doubly encoded path
to access protected resources within the WEB-INF directory. For example a
request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file.
This can reveal sensitive information regarding the implementation of a web
application.
* Fix CVE-2021-34428:
If an exception is thrown from the SessionListener#sessionDestroyed()
method, then the session ID is not invalidated in the session ID manager.
On deployments with clustered sessions and multiple contexts this can
result in a session not being invalidated. This can result in an
application used on a shared computer being left logged in.
.
Thanks to Salvatore Bonaccorso for the report. (Closes: #989999, #990578)
Checksums-Sha1:
243a6085339f97a67f0f6fe22cf457b06fbd673f 2750 jetty9_9.4.39-2.dsc
dc111ddb55b883e94e7b7466f5c73df91e88b597 34032 jetty9_9.4.39-2.debian.tar.xz
7298bdfc21d956e57802410a44cb9d86cd669c7d 17328 jetty9_9.4.39-2_amd64.buildinfo
Checksums-Sha256:
cb3fce4e7d6c62fd8f09c9c30e30902428d638ae01b84dee1c51401a8402ed07 2750
jetty9_9.4.39-2.dsc
9711465b5e92138bf7e80bcaba62a2289fcc264af72c80c9e62088010a7d2a3c 34032
jetty9_9.4.39-2.debian.tar.xz
b4fe5aea727b3a1cf21688f5d73aad9ec02525bd7f1d232977959e8e1aca5bd8 17328
jetty9_9.4.39-2_amd64.buildinfo
Files:
1b9692f19cef994219044cb5bbd055e4 2750 java optional jetty9_9.4.39-2.dsc
a772caca130c93bd4d9f2f7d60cacf2e 34032 java optional
jetty9_9.4.39-2.debian.tar.xz
0e4723be306d6e0b5b078a4983eb9b3a 17328 java optional
jetty9_9.4.39-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmDgm6tfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkjmEP/2Vt7RCFJY800Vyfa4uRYjrU/BUIvP8kq0DD
jJbCXJP7vk8A2tAh6ye7fE1MHcZzkrvrl1z0WRkdeWrlUK1tK6mX3mLjeMMpnXKz
9XlN6nNIIp42Kc0Um0FxVCKhmc1di/uNLgbJTO2XpZFN6hxhhSeEirNzQSWT1zi4
aOcOfS1jcXgIs13FV4taJHx1CJi3rJcwAMyk+q2j+QWC7bg0Bpmxu2MIubDDSE9p
WchS+ugWw9FWIT3jHQsZlzvMSkwAf6xFMfrfTSLTxrZ0ho/CbifmWA0F9bF78ebj
UtVCuXWfUvqFBn0NUags8fm1Qt92Hm0mMwII6A5bUA7hr0PQ20I1Xmt1FepZ6fey
KPAoiyKHDC3ivhvIs+SgdIdVFE9U8opg3p7U3GKnoWl5YOngGxI4QtyEWMQOtYqV
eV3AIvMJ1J0xjPVO3fEbc+yiosG/NgU90rG1wvo46gGpAqmlA9OiWotg9AJzrbXd
LBs2xWf1GnfMdZ7xOEiO95mNkDVcjn+MjkKQfh2rI4r2HDkw7qTRZk2kbklC1afB
FQTteftSdBaX5Hg58ICpy1Hua+HWsw6RmhXq96wAgd9qxKjPQdsxDt4D+ghUTn1S
lWYLPqY7wXJ/sQi6hi1Y6V0gsTlzkMvf3LdYq/Fy+tYnmLU2llzwZSdpATBtOemF
ygwhd6L3
=FV99
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
