[
https://issues.apache.org/jira/browse/ZOOKEEPER-4876?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17890378#comment-17890378
]
Damien Diederen edited comment on ZOOKEEPER-4876 at 10/17/24 8:56 AM:
----------------------------------------------------------------------
I looked into this, and bumping the dependency to the latest release of Jetty
advertised on [https://jetty.org/download.html], {{{}9.4.56.v20240826{}}},
apparently resolves a fresh {{{}CVE-2024-8184{}}}, but *not*
{{{}CVE-2024-6763{}}}—both having been published on 2024-10-14.
Worse, still, this comment says:
[https://github.com/jetty/jetty.project/pull/12012#issuecomment-2416450253]
{quote}This will not be backported to an End of Community Support version of
Jetty.
{quote}
On the other hand, it continues with:
{quote}As stated in
[CVE-2024-6763|https://github.com/advisories/GHSA-qh8g-58pp-2wxh], the use of
Jetty server, or Jetty client, does not make you vulnerable to that CVE.
{quote}
The linked report itself explains:
{quote}The impact of this vulnerability is limited to developers that use the
Jetty HttpURI directly. Example: your project implemented a blocklist to block
on some hosts based on HttpURI's handling of authority section.
{quote}
So: should we upgrade to 9.4.56 and suppress CVE-2024-6763? (Note that I
haven't performed an analysis of the affected source code!)
WDYT?
was (Author: ddiederen):
I looked into this, and bumping the dependency to the latest release of Jetty
advertised on [https://jetty.org/download.html], {{{}9.4.56.v20240826{}}},
apparently resolves a fresh {{{}CVE-2024-8184{}}}, but *not*
{{{}CVE-2024-6763{}}}—both having been published on 2024-10-14.
Worse, still, this comment says:
[https://github.com/jetty/jetty.project/pull/12012#issuecomment-2416450253]
{quote}This will not be backported to an End of Community Support version of
Jetty. […]
{quote}
On the other hand, it continues with:
{quote}[…] As stated in
[CVE-2024-6763|https://github.com/advisories/GHSA-qh8g-58pp-2wxh], the use of
Jetty server, or Jetty client, does not make you vulnerable to that CVE.
{quote}
The linked report itself explains:
{quote}The impact of this vulnerability is limited to developers that use the
Jetty HttpURI directly. Example: your project implemented a blocklist to block
on some hosts based on HttpURI's handling of authority section. […]
{quote}
So: should we upgrade to 9.4.56 and suppress CVE-2024-6763? (Note that I
haven't performed an analysis of the affected source code!)
WDYT?
> jetty-http-9.4.53.v20231009.jar: CVE-2024-6763(3.7)
> ---------------------------------------------------
>
> Key: ZOOKEEPER-4876
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4876
> Project: ZooKeeper
> Issue Type: Bug
> Components: server
> Affects Versions: 3.8.4, 3.9.2, 3.10
> Reporter: Andor Molnar
> Priority: Major
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
