[jira] [Commented] (QPID-8259) [Broker-J] Upgrade Jetty to version 9.4.12.v20180830

Mon, 12 Nov 2018 02:52:13 -0800 


    [ 
https://issues.apache.org/jira/browse/QPID-8259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16683559#comment-16683559
 ] 

ASF subversion and git services commented on QPID-8259:
-------------------------------------------------------

Commit a70d7c3db78ac222b331d4c608dae44bb839b16d in qpid-broker-j's branch 
refs/heads/master from [~alex.rufous]
[ https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=a70d7c3 ]

QPID-8259: [Broker-J] Upgrade Jetty to version 9.4.12.v20180830


> [Broker-J] Upgrade Jetty to version 9.4.12.v20180830
> ----------------------------------------------------
>
>                 Key: QPID-8259
>                 URL: https://issues.apache.org/jira/browse/QPID-8259
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Broker-J
>            Reporter: Alex Rudyy
>            Priority: Major
>             Fix For: qpid-java-broker-7.1.0
>
>
> A number of security vulnerabilities have been reported against version in 
> use. See 
> [https://www.eclipse.org/jetty/documentation/9.4.x/security-reports.html]
> ||yyyy/mm/dd||        ID      ||Exploitable|| Severity||      Affects||       
> Fixed Version|| Comment||
> |2018/06/25|CVE-2018-12538|High|High|>= 9.4.0, < = 9.4.8|9.4.9|HttpSessions 
> present specifically in the FileSystem’s storage could be hijacked/accessed 
> by an unauthorized user.|
> |2018/06/25|CVE-2018-12536|High|See CWE-202|< = 9.4.10|9.2.25, 9.3.24, 
> 9.4.11|InvalidPathException Message reveals webapp system path.|
> |2018/06/25|CVE-2017-7658|See CWE-444|See CWE-444|< = 9.4.10|9.2.25, 9.3.24, 
> 9.4.11|Too Tolerant Parser, Double Content-Length + Transfer-Encoding + 
> Whitespace.|
> |2018/06/25|CVE-2017-7657|See CWE-444|See CWE-444|< = 9.4.10|9.2.25, 9.3.24, 
> 9.4.11|HTTP/1.1 Request smuggling with carefully crafted body content (Does 
> not apply to HTTP/1.0 or HTTP/2).|
> |2018/06/25|CVE-2017-7656|See CWE-444|See CWE-444|< = 9.4.10|9.2.25, 9.3.24, 
> 9.4.11|HTTP Request Smuggling when used with invalid request headers (for 
> HTTP/0.9).|



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to