[
https://issues.apache.org/jira/browse/AMQ-3693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13205249#comment-13205249
]
Bruce Snyder commented on AMQ-3693:
-----------------------------------
I have determined that the NPE is actually due to the combination of two items:
# A misconfiguration of Jetty in the jetty.xml file -- normally each web
context should have its own authenticator configured. The way that the three
contexts are currently configured is not correct. I'm still working through
this with Greg Wilkins.
# A bug in Jetty where it should be performing a null check on the security
handler for a given context:
[https://bugs.eclipse.org/bugs/show_bug.cgi?id=371162]
Greg has already fixed this bug in the Jetty master branch and will included it
in the Jetty 7.6.1 release next week.
> Upgrade Jetty to address CVE-2011-4461
> --------------------------------------
>
> Key: AMQ-3693
> URL: https://issues.apache.org/jira/browse/AMQ-3693
> Project: ActiveMQ
> Issue Type: Task
> Affects Versions: 5.5.1
> Reporter: Bruce Snyder
> Attachments: upgrade-jetty.patch
>
>
> Upgrade Jetty to the 7.6.0 release when it becomes final so as to address a
> DoS vulnerability. See the
> [CVE-2011-4461|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4461]
> for more information. See also the attached patch for changes.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
