An update for jetty is now available for openEuler-22.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-2300 Final 1.0 1.0 2024-10-25 Initial 2024-10-25 2024-10-25 openEuler SA Tool V1.0 2024-10-25 jetty security update An update for jetty is now available for openEuler-22.03-LTS-SP3 %global desc \ Jetty is a 100% Java HTTP Server and Servlet Container. This means that you\ do not need to configure and run a separate web server (like Apache) in order\ to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully\ featured web server for static and dynamic content. Unlike separate\ server/container solutions, this means that your web server and web\ application run in the same process, without interconnection overheads\ and complications. Furthermore, as a pure java component, Jetty can be simply\ included in your application for demonstration, distribution or deployment.\ Jetty is available on all Java supported platforms. \ %global extdesc \\ \ This package contains Security Fix(es): Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).(CVE-2023-26048) Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2. (CVE-2023-36479) Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.(CVE-2023-40167) An update for jetty is now available for openEuler-22.03-LTS-SP3. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium jetty https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2300 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2023-26048 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2023-36479 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2023-40167 https://nvd.nist.gov/vuln/detail/CVE-2023-26048 https://nvd.nist.gov/vuln/detail/CVE-2023-36479 https://nvd.nist.gov/vuln/detail/CVE-2023-40167 openEuler-22.03-LTS-SP3 jetty-9.4.16-7.oe2203sp3.src.rpm jetty-9.4.16-7.oe2203sp3.noarch.rpm jetty-alpn-client-9.4.16-7.oe2203sp3.noarch.rpm jetty-alpn-server-9.4.16-7.oe2203sp3.noarch.rpm jetty-annotations-9.4.16-7.oe2203sp3.noarch.rpm jetty-ant-9.4.16-7.oe2203sp3.noarch.rpm jetty-cdi-9.4.16-7.oe2203sp3.noarch.rpm jetty-client-9.4.16-7.oe2203sp3.noarch.rpm jetty-continuation-9.4.16-7.oe2203sp3.noarch.rpm jetty-deploy-9.4.16-7.oe2203sp3.noarch.rpm jetty-fcgi-client-9.4.16-7.oe2203sp3.noarch.rpm jetty-fcgi-server-9.4.16-7.oe2203sp3.noarch.rpm jetty-http-9.4.16-7.oe2203sp3.noarch.rpm jetty-http-spi-9.4.16-7.oe2203sp3.noarch.rpm jetty-http2-client-9.4.16-7.oe2203sp3.noarch.rpm jetty-http2-common-9.4.16-7.oe2203sp3.noarch.rpm jetty-http2-hpack-9.4.16-7.oe2203sp3.noarch.rpm jetty-http2-http-client-transport-9.4.16-7.oe2203sp3.noarch.rpm jetty-http2-server-9.4.16-7.oe2203sp3.noarch.rpm jetty-httpservice-9.4.16-7.oe2203sp3.noarch.rpm jetty-infinispan-9.4.16-7.oe2203sp3.noarch.rpm jetty-io-9.4.16-7.oe2203sp3.noarch.rpm jetty-jaas-9.4.16-7.oe2203sp3.noarch.rpm jetty-jaspi-9.4.16-7.oe2203sp3.noarch.rpm jetty-javadoc-9.4.16-7.oe2203sp3.noarch.rpm jetty-javax-websocket-client-impl-9.4.16-7.oe2203sp3.noarch.rpm jetty-javax-websocket-server-impl-9.4.16-7.oe2203sp3.noarch.rpm jetty-jmx-9.4.16-7.oe2203sp3.noarch.rpm jetty-jndi-9.4.16-7.oe2203sp3.noarch.rpm jetty-jsp-9.4.16-7.oe2203sp3.noarch.rpm jetty-jspc-maven-plugin-9.4.16-7.oe2203sp3.noarch.rpm jetty-jstl-9.4.16-7.oe2203sp3.noarch.rpm jetty-maven-plugin-9.4.16-7.oe2203sp3.noarch.rpm jetty-nosql-9.4.16-7.oe2203sp3.noarch.rpm jetty-osgi-alpn-9.4.16-7.oe2203sp3.noarch.rpm jetty-osgi-boot-9.4.16-7.oe2203sp3.noarch.rpm jetty-osgi-boot-jsp-9.4.16-7.oe2203sp3.noarch.rpm jetty-osgi-boot-warurl-9.4.16-7.oe2203sp3.noarch.rpm jetty-plus-9.4.16-7.oe2203sp3.noarch.rpm jetty-project-9.4.16-7.oe2203sp3.noarch.rpm jetty-proxy-9.4.16-7.oe2203sp3.noarch.rpm jetty-quickstart-9.4.16-7.oe2203sp3.noarch.rpm jetty-rewrite-9.4.16-7.oe2203sp3.noarch.rpm jetty-security-9.4.16-7.oe2203sp3.noarch.rpm jetty-server-9.4.16-7.oe2203sp3.noarch.rpm jetty-servlet-9.4.16-7.oe2203sp3.noarch.rpm jetty-servlets-9.4.16-7.oe2203sp3.noarch.rpm jetty-spring-9.4.16-7.oe2203sp3.noarch.rpm jetty-start-9.4.16-7.oe2203sp3.noarch.rpm jetty-unixsocket-9.4.16-7.oe2203sp3.noarch.rpm jetty-util-9.4.16-7.oe2203sp3.noarch.rpm jetty-util-ajax-9.4.16-7.oe2203sp3.noarch.rpm jetty-webapp-9.4.16-7.oe2203sp3.noarch.rpm jetty-websocket-api-9.4.16-7.oe2203sp3.noarch.rpm jetty-websocket-client-9.4.16-7.oe2203sp3.noarch.rpm jetty-websocket-common-9.4.16-7.oe2203sp3.noarch.rpm jetty-websocket-server-9.4.16-7.oe2203sp3.noarch.rpm jetty-websocket-servlet-9.4.16-7.oe2203sp3.noarch.rpm jetty-xml-9.4.16-7.oe2203sp3.noarch.rpm Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory). 2024-10-25 CVE-2023-26048 openEuler-22.03-LTS-SP3 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L jetty security update 2024-10-25 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2300 Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2. 2024-10-25 CVE-2023-36479 openEuler-22.03-LTS-SP3 Medium 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N jetty security update 2024-10-25 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2300 Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario. 2024-10-25 CVE-2023-40167 openEuler-22.03-LTS-SP3 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N jetty security update 2024-10-25 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2300