After chatting on IM, it does appear that it is too late to change the jetty version, so I retract my -1 and make it a -0.
The 1.0 release can go out with the windows security problem - I don't think many will be rushing it into production. The Jetty 5.1.10 release is available and the can be used to replace the jar if security is paramount. Some text for the release notes: There is a security issue with the Jetty 5.1.9 used by geronimo 1.0, which allows a crafted URL to access the contents of a WEB-INF directory if the server is running on a windows platform. This issue is fixed in Jetty 5.1.10 and the 5.1.9 jar in geronimo 1.0 can be replaced with the jar from 5.1.10. It is not recommended that Geronimo-jetty 1.0 be used on to serve a non-open web application from a windows platform. cheers Matt Hogstrom wrote: > Greg, > > I was wrapping up the release last night and was releasing it today > based on the prior feedback. Can you provide some more details on the > exposure? My preference would be to release G 1.0 as is and fix this in > 1.0.1. I need your expert opinion of the exposure WRT to security. > > There will always be something left to fix this will delay releasing > about 1 week to allow for a new review of the code, re-certification, etc. > > I see a few options at this point. > > 1. Continue with the release despite this information. > > 2. Hold the release until this can be fixed (which then also begs the > question of moving to the more recent Tomcat version with their fix for > 0 content length on POST requests). This will delay the release for at > least one week. > > 3. Ship Geronimo with Tomcat and get 1.0 out the door. We ship with > both Tomcat and Jetty for 1.0.1 with this security fix inclued. > > The security hole you've outlined sounds serious but I was wondering if > its a specific set of implementations that could be documented (ie. is > this something that someone just found and its a rather obscure config?) > > Other input welcome. I'm going to complete getting the release ready > but defer punching the button until this afternoon (about 1500 PT). > > Matt > > Greg Wilkins wrote: > >> Sorry guys but >> >> -1 >> >> I've just had a report of a security issue in Jetty that reveals the >> contents of WEB-INF on win32 platforms. Happy f*&#ing new year! >> >> I have a fix and will be making a release very shortly. To avoid any >> other issues, I will probably roll back the other changes in HEAD so >> only this fix will go in. >> >> But if it really is too late to change the jetty version, then -0 >> >> regards >> >> >> >
