Hugo Lefeuvre pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a76f2e7a by Hugo Lefeuvre at 2018-09-08T20:22:42Z
jetty/jetty8: mark remaining CVEs <ignored>
Exploit may have significant impact but requires very specific
conditions which makes it very unlikely. I could not reproduce any of
these issues on jetty and jetty8. Furthermore fixing these issues in
8.x branches and older is going to be very time expensive according to
upstream.
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -10261,7 +10261,9 @@ CVE-2018-12536 (In Eclipse Jetty Server, all 9.x
versions, on webapps deployed u
- jetty9 9.2.25-1 (low; bug #902774)
[stretch] - jetty9 <ignored> (Harmless information leak)
- jetty8 <removed>
+ [jessie] - jetty8 <ignored> (Harmless information leak)
- jetty <removed>
+ [jessie] - jetty <ignored> (Harmless information leak)
NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535670
CVE-2018-12535
RESERVED
@@ -74703,21 +74705,28 @@ CVE-2017-7659 (A maliciously constructed HTTP/2
request could cause mod_http2 2.
CVE-2017-7658 (In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all
non ...)
{DSA-4278-1}
- jetty <removed>
+ [jessie] - jetty <ignored> (very hard to exploit, complex patch)
- jetty8 <removed>
+ [jessie] - jetty8 <ignored> (very hard to exploit, complex patch)
- jetty9 9.2.25-1 (low; bug #902953)
NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669
NOTE: https://github.com/eclipse/jetty.project/commit/a285deea
+ NOTE: Exploit very unlikely, needs a very particular intermediary
behaviour.
CVE-2017-7657 (In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all ...)
{DSA-4278-1}
- jetty <removed>
+ [jessie] - jetty <ignored> (very hard to exploit, complex patch)
- jetty8 <removed>
+ [jessie] - jetty8 <ignored> (very hard to exploit, complex patch)
- jetty9 9.2.25-1 (low; bug #902953)
NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668
NOTE: https://github.com/eclipse/jetty.project/commit/a285deea
CVE-2017-7656 (In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all ...)
{DSA-4278-1}
- jetty <removed>
+ [jessie] - jetty <ignored> (very hard to exploit, complex patch)
- jetty8 <removed>
+ [jessie] - jetty8 <ignored> (very hard to exploit, complex patch)
- jetty9 9.2.25-1 (low; bug #902953)
NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667
NOTE: https://github.com/eclipse/jetty.project/commit/a285deea
=====================================
data/dla-needed.txt
=====================================
@@ -29,20 +29,6 @@ glusterfs
gnutls28 (Ola Lundqvist)
NOTE: 20180824: Upstream patch is quite invasive, adding new options etc.
(lamby)
--
-jetty (Hugo Lefeuvre)
- NOTE: 20180702: jetty8 almost never marked as affected whereas jetty and
jetty9 are. Reason ?
- NOTE: 20180702: CVE-2018-12536 fixed in latest upstream release. Looks like
upstream
- NOTE: 20180702: voluntarily obfuscated the issue (fix hidden in unrelated
changes).
- NOTE: 20180702: Fix (9.4.x): a51920d650d924cc2cea011995624b394437c6e0
- NOTE: 20180702: (9.3.x): 53e8bc2a636707e896fd106fbee3596823c2cdc9
(closer to Debian versions)
- NOTE: 20180702: check before putting in the tracker.
- NOTE: 20180702: jetty: doesn't seem to be affected (Wheezy + Jessie)
- NOTE: 20180702: jetty8: still need to check (Wheezy + Jessie)
- NOTE: 20180702: jetty9: affected, will provide patches for stretch and
testing
- NOTE: 20180716: can't reproduce CVE-2018-12536, e-mailed upstream for more
information
---
-jetty8 (Hugo Lefeuvre)
---
kamailio (Chris Lamb)
--
kdepim
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a76f2e7ac67bd0fd741a7200c280b605fd358241
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a76f2e7ac67bd0fd741a7200c280b605fd358241
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
