[jira] [Commented] (QPID-8259) [Broker-J] Upgrade Jetty to version 9.4.12.v20180830

Wed, 19 Dec 2018 07:05:22 -0800 


    [ 
https://issues.apache.org/jira/browse/QPID-8259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16725082#comment-16725082
 ] 

ASF subversion and git services commented on QPID-8259:
-------------------------------------------------------

Commit 09278a522e3fee521b90c06671e4baac1cb71929 in qpid-broker-j's branch 
refs/heads/7.0.x from Alex Rudyy
[ https://gitbox.apache.org/repos/asf?p=qpid-broker-j.git;h=09278a5 ]

QPID-8259: [Broker-J] Fix tests failing on IBM JDK due to jetty default cipher 
suites excludes excluding valid IBM JDK cipher suites

(cherry picked from commit 1cc83b38dc2bdb295ffbf7eb4d832cfae68dfdb2)


> [Broker-J] Upgrade Jetty to version 9.4.12.v20180830
> ----------------------------------------------------
>
>                 Key: QPID-8259
>                 URL: https://issues.apache.org/jira/browse/QPID-8259
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Broker-J
>            Reporter: Alex Rudyy
>            Assignee: Alex Rudyy
>            Priority: Major
>             Fix For: qpid-java-broker-7.1.0
>
>
> A number of security vulnerabilities have been reported against version in 
> use. See 
> [https://www.eclipse.org/jetty/documentation/9.4.x/security-reports.html]
> ||yyyy/mm/dd||        ID      ||Exploitable|| Severity||      Affects||       
> Fixed Version|| Comment||
> |2018/06/25|CVE-2018-12538|High|High|>= 9.4.0, < = 9.4.8|9.4.9|HttpSessions 
> present specifically in the FileSystem’s storage could be hijacked/accessed 
> by an unauthorized user.|
> |2018/06/25|CVE-2018-12536|High|See CWE-202|< = 9.4.10|9.2.25, 9.3.24, 
> 9.4.11|InvalidPathException Message reveals webapp system path.|
> |2018/06/25|CVE-2017-7658|See CWE-444|See CWE-444|< = 9.4.10|9.2.25, 9.3.24, 
> 9.4.11|Too Tolerant Parser, Double Content-Length + Transfer-Encoding + 
> Whitespace.|
> |2018/06/25|CVE-2017-7657|See CWE-444|See CWE-444|< = 9.4.10|9.2.25, 9.3.24, 
> 9.4.11|HTTP/1.1 Request smuggling with carefully crafted body content (Does 
> not apply to HTTP/1.0 or HTTP/2).|
> |2018/06/25|CVE-2017-7656|See CWE-444|See CWE-444|< = 9.4.10|9.2.25, 9.3.24, 
> 9.4.11|HTTP Request Smuggling when used with invalid request headers (for 
> HTTP/0.9).|



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to