An update for jetty is now available for openEuler-20.03-LTS-SP1
Security Advisory
openeuler-security@openeuler.org
openEuler security committee
openEuler-SA-2021-1166
Final
1.0
1.0
2021-05-06
Initial
2021-05-06
2021-05-06
openEuler SA Tool V1.0
2021-05-06
jetty security update
An update for jetty is now available for openEuler-20.03-LTS-SP1.
%global desc \ Jetty is a 100% Java HTTP Server and Servlet Container. This means that you\ do not need to configure and run a separate web server (like Apache) in order\ to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully\ featured web server for static and dynamic content. Unlike separate\ server/container solutions, this means that your web server and web\ application run in the same process, without interconnection overheads\ and complications. Furthermore, as a pure java component, Jetty can be simply\ included in your application for demonstration, distribution or deployment.\ Jetty is available on all Java supported platforms. %{desc} %global extdesc %{desc}\ \ This package contains
Security Fix(es):
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.(CVE-2020-27223)
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.(CVE-2021-28165)
An update for jetty is now available for openEuler-20.03-LTS-SP1.
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
High
jetty
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1166
https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-27223
https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-28165
https://nvd.nist.gov/vuln/detail/CVE-2020-27223
https://nvd.nist.gov/vuln/detail/CVE-2021-28165
openEuler-20.03-LTS-SP1
jetty-http-spi-9.4.15-7.oe1.noarch.rpm
jetty-websocket-servlet-9.4.15-7.oe1.noarch.rpm
jetty-jaas-9.4.15-7.oe1.noarch.rpm
jetty-javadoc-9.4.15-7.oe1.noarch.rpm
jetty-javax-websocket-client-impl-9.4.15-7.oe1.noarch.rpm
jetty-xml-9.4.15-7.oe1.noarch.rpm
jetty-io-9.4.15-7.oe1.noarch.rpm
jetty-maven-plugin-9.4.15-7.oe1.noarch.rpm
jetty-osgi-boot-9.4.15-7.oe1.noarch.rpm
jetty-osgi-boot-jsp-9.4.15-7.oe1.noarch.rpm
jetty-continuation-9.4.15-7.oe1.noarch.rpm
jetty-infinispan-9.4.15-7.oe1.noarch.rpm
jetty-fcgi-server-9.4.15-7.oe1.noarch.rpm
jetty-http2-http-client-transport-9.4.15-7.oe1.noarch.rpm
jetty-osgi-alpn-9.4.15-7.oe1.noarch.rpm
jetty-spring-9.4.15-7.oe1.noarch.rpm
jetty-ant-9.4.15-7.oe1.noarch.rpm
jetty-nosql-9.4.15-7.oe1.noarch.rpm
jetty-project-9.4.15-7.oe1.noarch.rpm
jetty-http2-client-9.4.15-7.oe1.noarch.rpm
jetty-jndi-9.4.15-7.oe1.noarch.rpm
jetty-servlets-9.4.15-7.oe1.noarch.rpm
jetty-javax-websocket-server-impl-9.4.15-7.oe1.noarch.rpm
jetty-servlet-9.4.15-7.oe1.noarch.rpm
jetty-util-9.4.15-7.oe1.noarch.rpm
jetty-deploy-9.4.15-7.oe1.noarch.rpm
jetty-httpservice-9.4.15-7.oe1.noarch.rpm
jetty-plus-9.4.15-7.oe1.noarch.rpm
jetty-rewrite-9.4.15-7.oe1.noarch.rpm
jetty-websocket-api-9.4.15-7.oe1.noarch.rpm
jetty-websocket-client-9.4.15-7.oe1.noarch.rpm
jetty-fcgi-client-9.4.15-7.oe1.noarch.rpm
jetty-http-9.4.15-7.oe1.noarch.rpm
jetty-jstl-9.4.15-7.oe1.noarch.rpm
jetty-osgi-boot-warurl-9.4.15-7.oe1.noarch.rpm
jetty-websocket-common-9.4.15-7.oe1.noarch.rpm
jetty-webapp-9.4.15-7.oe1.noarch.rpm
jetty-http2-common-9.4.15-7.oe1.noarch.rpm
jetty-util-ajax-9.4.15-7.oe1.noarch.rpm
jetty-proxy-9.4.15-7.oe1.noarch.rpm
jetty-cdi-9.4.15-7.oe1.noarch.rpm
jetty-jmx-9.4.15-7.oe1.noarch.rpm
jetty-server-9.4.15-7.oe1.noarch.rpm
jetty-unixsocket-9.4.15-7.oe1.noarch.rpm
jetty-start-9.4.15-7.oe1.noarch.rpm
jetty-websocket-server-9.4.15-7.oe1.noarch.rpm
jetty-jspc-maven-plugin-9.4.15-7.oe1.noarch.rpm
jetty-http2-hpack-9.4.15-7.oe1.noarch.rpm
jetty-annotations-9.4.15-7.oe1.noarch.rpm
jetty-jsp-9.4.15-7.oe1.noarch.rpm
jetty-alpn-client-9.4.15-7.oe1.noarch.rpm
jetty-9.4.15-7.oe1.noarch.rpm
jetty-client-9.4.15-7.oe1.noarch.rpm
jetty-http2-server-9.4.15-7.oe1.noarch.rpm
jetty-jaspi-9.4.15-7.oe1.noarch.rpm
jetty-quickstart-9.4.15-7.oe1.noarch.rpm
jetty-alpn-server-9.4.15-7.oe1.noarch.rpm
jetty-security-9.4.15-7.oe1.noarch.rpm
jetty-9.4.15-7.oe1.src.rpm
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
2021-05-06
CVE-2020-27223
openEuler-20.03-LTS-SP1
High
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
jetty security update
2021-05-06
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1166
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
2021-05-06
CVE-2021-28165
openEuler-20.03-LTS-SP1
High
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
jetty security update
2021-05-06
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1166