Alex Rudyy created QPID-8259:
--------------------------------
Summary: [Broker-J] Upgrade Jetty to version 9.4.12.v20180830
Key: QPID-8259
URL: https://issues.apache.org/jira/browse/QPID-8259
Project: Qpid
Issue Type: Improvement
Components: Broker-J
Reporter: Alex Rudyy
Fix For: qpid-java-broker-7.1.0
A number of security vulnerabilities have been reported against version in use.
See [https://www.eclipse.org/jetty/documentation/9.4.x/security-reports.html]
||yyyy/mm/dd|| ID ||Exploitable|| Severity|| Affects|| Fixed
Version|| Comment||
|2018/06/25|CVE-2018-12538|High|High|>= 9.4.0, < = 9.4.8|9.4.9|HttpSessions
present specifically in the FileSystem’s storage could be hijacked/accessed by
an unauthorized user.|
|2018/06/25|CVE-2018-12536|High|See CWE-202|< = 9.4.10|9.2.25, 9.3.24,
9.4.11|InvalidPathException Message reveals webapp system path.|
|2018/06/25|CVE-2017-7658|See CWE-444|See CWE-444|< = 9.4.10|9.2.25, 9.3.24,
9.4.11|Too Tolerant Parser, Double Content-Length + Transfer-Encoding +
Whitespace.|
|2018/06/25|CVE-2017-7657|See CWE-444|See CWE-444|< = 9.4.10|9.2.25, 9.3.24,
9.4.11|HTTP/1.1 Request smuggling with carefully crafted body content (Does not
apply to HTTP/1.0 or HTTP/2).|
|2018/06/25|CVE-2017-7656|See CWE-444|See CWE-444|< = 9.4.10|9.2.25, 9.3.24,
9.4.11|HTTP Request Smuggling when used with invalid request headers (for
HTTP/0.9).|
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
