An update for jetty is now available for openEuler-22.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2023-1032 Final 1.0 1.0 2023-01-13 Initial 2023-01-13 2023-01-13 openEuler SA Tool V1.0 2023-01-13 jetty security update An update for jetty is now available for openEuler-22.03-LTS. Jetty is a 100% Java HTTP Server and Servlet Container. This means that you do not need to configure and run a separate web server (like Apache) in order to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully featured web server for static and dynamic content. Unlike separate server/container solutions, this means that your web server and web application run in the same process, without interconnection overheads and complications. Furthermore, as a pure java component, Jetty can be simply included in your application for demonstration, distribution or deployment.Jetty is available on all Java supported platforms. Security Fix(es): In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.(CVE-2022-2048) In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.(CVE-2022-2047) An update for jetty is now available for openEuler-22.03-LTS. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High jetty https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1032 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-2048 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-2047 https://nvd.nist.gov/vuln/detail/CVE-2022-2048 https://nvd.nist.gov/vuln/detail/CVE-2022-2047 openEuler-22.03-LTS jetty-alpn-client-9.4.16-3.oe2203.noarch.rpm jetty-jaspi-9.4.16-3.oe2203.noarch.rpm jetty-plus-9.4.16-3.oe2203.noarch.rpm jetty-websocket-api-9.4.16-3.oe2203.noarch.rpm jetty-util-9.4.16-3.oe2203.noarch.rpm jetty-rewrite-9.4.16-3.oe2203.noarch.rpm jetty-websocket-common-9.4.16-3.oe2203.noarch.rpm jetty-spring-9.4.16-3.oe2203.noarch.rpm jetty-9.4.16-3.oe2203.noarch.rpm jetty-project-9.4.16-3.oe2203.noarch.rpm jetty-websocket-client-9.4.16-3.oe2203.noarch.rpm jetty-http2-client-9.4.16-3.oe2203.noarch.rpm jetty-http2-server-9.4.16-3.oe2203.noarch.rpm jetty-jaas-9.4.16-3.oe2203.noarch.rpm jetty-http-9.4.16-3.oe2203.noarch.rpm jetty-websocket-server-9.4.16-3.oe2203.noarch.rpm jetty-http2-common-9.4.16-3.oe2203.noarch.rpm jetty-start-9.4.16-3.oe2203.noarch.rpm jetty-websocket-servlet-9.4.16-3.oe2203.noarch.rpm jetty-maven-plugin-9.4.16-3.oe2203.noarch.rpm jetty-jndi-9.4.16-3.oe2203.noarch.rpm jetty-http-spi-9.4.16-3.oe2203.noarch.rpm jetty-util-ajax-9.4.16-3.oe2203.noarch.rpm jetty-jsp-9.4.16-3.oe2203.noarch.rpm jetty-deploy-9.4.16-3.oe2203.noarch.rpm jetty-ant-9.4.16-3.oe2203.noarch.rpm jetty-javax-websocket-client-impl-9.4.16-3.oe2203.noarch.rpm jetty-osgi-boot-9.4.16-3.oe2203.noarch.rpm jetty-webapp-9.4.16-3.oe2203.noarch.rpm jetty-httpservice-9.4.16-3.oe2203.noarch.rpm jetty-proxy-9.4.16-3.oe2203.noarch.rpm jetty-io-9.4.16-3.oe2203.noarch.rpm jetty-cdi-9.4.16-3.oe2203.noarch.rpm jetty-jspc-maven-plugin-9.4.16-3.oe2203.noarch.rpm jetty-osgi-boot-jsp-9.4.16-3.oe2203.noarch.rpm jetty-quickstart-9.4.16-3.oe2203.noarch.rpm jetty-nosql-9.4.16-3.oe2203.noarch.rpm jetty-unixsocket-9.4.16-3.oe2203.noarch.rpm jetty-security-9.4.16-3.oe2203.noarch.rpm jetty-annotations-9.4.16-3.oe2203.noarch.rpm jetty-servlet-9.4.16-3.oe2203.noarch.rpm jetty-http2-http-client-transport-9.4.16-3.oe2203.noarch.rpm jetty-fcgi-server-9.4.16-3.oe2203.noarch.rpm jetty-http2-hpack-9.4.16-3.oe2203.noarch.rpm jetty-javax-websocket-server-impl-9.4.16-3.oe2203.noarch.rpm jetty-alpn-server-9.4.16-3.oe2203.noarch.rpm jetty-jstl-9.4.16-3.oe2203.noarch.rpm jetty-osgi-boot-warurl-9.4.16-3.oe2203.noarch.rpm jetty-servlets-9.4.16-3.oe2203.noarch.rpm jetty-client-9.4.16-3.oe2203.noarch.rpm jetty-osgi-alpn-9.4.16-3.oe2203.noarch.rpm jetty-fcgi-client-9.4.16-3.oe2203.noarch.rpm jetty-xml-9.4.16-3.oe2203.noarch.rpm jetty-infinispan-9.4.16-3.oe2203.noarch.rpm jetty-jmx-9.4.16-3.oe2203.noarch.rpm jetty-server-9.4.16-3.oe2203.noarch.rpm jetty-continuation-9.4.16-3.oe2203.noarch.rpm jetty-javadoc-9.4.16-3.oe2203.noarch.rpm jetty-9.4.16-3.oe2203.src.rpm In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests. 2023-01-13 CVE-2022-2048 openEuler-22.03-LTS High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H jetty security update 2023-01-13 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1032 In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario. 2023-01-13 CVE-2022-2047 openEuler-22.03-LTS Low 2.7 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H jetty security update 2023-01-13 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1032