Skip to content

[Security] Bump jetty-server from 9.3.25.v20180904 to 9.4.12.v20180830 #411

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dependabot-preview wants to merge 1 commit into from
Closed

[Security] Bump jetty-server from 9.3.25.v20180904 to 9.4.12.v20180830 #411

dependabot-preview wants to merge 1 commit into from

Conversation

@dependabot-preview
Copy link
Contributor

@dependabot-preview dependabot-preview bot commented Apr 26, 2021

Bumps jetty-server from 9.3.25.v20180904 to 9.4.12.v20180830. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Installation information leak in Eclipse Jetty In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.

Affected versions: >= 9.3.0, <= 9.3.26.v20190403

Sourced from The GitHub Security Advisory Database.

Information Exposure vulnerability in Eclipse Jetty In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.

Affected versions: >= 9.3.0, <= 9.3.26.v20190403

Sourced from The GitHub Security Advisory Database.

Cross-site Scripting in Eclipse Jetty In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

Affected versions: >= 9.3.0, <= 9.3.25.v20180904

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects org.eclipse.jetty:jetty-server In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.

Affected versions: >= 9.3.0, < 9.4.12.v20180830

Sourced from The GitHub Security Advisory Database.

Low severity vulnerability that affects org.eclipse.jetty:jetty-server In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

Affected versions: >= 9.3.0, < 9.3.26.v20190403

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects org.eclipse.jetty:jetty-server In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.

Affected versions: >= 9.3.0, < 9.3.27.v20190418

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects org.eclipse.jetty:jetty-server In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.

Affected versions: >= 9.3.0, < 9.3.27.v20190418

Release notes

Sourced from jetty-server's releases.

9.3.29.v20201019

Changes

  • #4217 : SslConnection.DecryptedEnpoint.flush eternal busy loop
  • #4443 : Track backport of ALPN APIs to Java 8
  • #5451 : Improve Working Directory creation
Commits
  • 2720868 Updating to version 9.4.12.v20180830
  • a878170 Merge pull request #2872 from eclipse/jetty-9.4.x-2871-wrong_eof_after_http2_...
  • eb87415 Issue #2871 - Server reads -1 after client resets HTTP/2 stream.
  • 9cb9be8 Issue #2846 Jaas ldap unit test (#2864)
  • 88363dd Cleaning up note.
  • 1383f60 Updated Maven Plugin and dependencies versions.
  • 7cf027b Jetty 9.4.x 2711 tls 13 compliance (#2857)
  • 9f6747d Updated gzip doc. Resolves #2845
  • 09be34e Issue #2844 Clean up webdefault and DefaultServlet documentation (#2851)
  • 5b5f2fc Merged branch 'jetty-9.3.x' into 'jetty-9.4.x'.
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Automerge options (never/patch/minor, and dev/runtime dependencies)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

@dependabot-preview
[Security] Bump jetty-server from 9.3.25.v20180904 to 9.4.12.v20180830
c6776aa 
Bumps [jetty-server](https://github.com/eclipse/jetty.project) from 9.3.25.v20180904 to 9.4.12.v20180830. **This update includes security fixes.**
- [Release notes](https://github.com/eclipse/jetty.project/releases)
- [Commits](jetty/jetty.project@jetty-9.3.25.v20180904...jetty-9.4.12.v20180830)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
@dependabot-preview dependabot-preview bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels Apr 26, 2021
@dependabot-preview
Copy link
Contributor Author

dependabot-preview bot commented Jun 23, 2021

Superseded by #447.

@dependabot-preview dependabot-preview bot deleted the dependabot/maven/develop/org.eclipse.jetty-jetty-server-9.4.12.v20180830 branch June 23, 2021 20:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants