[jira] [Commented] (AMQ-3693) Upgrade Jetty to address CVE-2011-4461

[Timothy Bish (Commented) (JIRA)]

    [ 
https://issues.apache.org/jira/browse/AMQ-3693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13202421#comment-13202421
 ] 

Timothy Bish commented on AMQ-3693:
-----------------------------------

Applying the new patch and running locally, access to the AMQ web console 
produces large numbers of the following exception on the broker:

{noformat}
WARN | /admin/styles/prettify.css;jsessionid=16o74xc6vb13s1dc6cpufjy8de
java.lang.NullPointerException
        at 
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:514)
        at 
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:227)
        at 
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1031)
        at 
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:406)
        at 
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186)
        at 
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:965)
        at 
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
        at 
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:149)
        at 
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:499)
        at 
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:149)
        at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:111)
        at org.eclipse.jetty.server.Server.handle(Server.java:349)
        at 
org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:449)
        at 
org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:910)
        at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:634)
        at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:230)
        at 
org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:76)
        at 
org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:609)
        at 
org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:45)
        at 
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:599)
        at 
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:534)
        at java.lang.Thread.run(Thread.java:662)
{noformat}

                
> Upgrade Jetty to address CVE-2011-4461
> --------------------------------------
>
>                 Key: AMQ-3693
>                 URL: https://issues.apache.org/jira/browse/AMQ-3693
>             Project: ActiveMQ
>          Issue Type: Task
>    Affects Versions: 5.5.1
>            Reporter: Bruce Snyder
>         Attachments: upgrade-jetty.patch
>
>
> Upgrade Jetty to the 7.6.0 release when it becomes final so as to address a 
> DoS vulnerability. See the 
> [CVE-2011-4461|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4461] 
> for more information. See also the attached patch for changes. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira