[jira] [Updated] (QPID-8259) [Broker-J] Upgrade Jetty to version 9.4.12.v20180830
[ https://issues.apache.org/jira/browse/QPID-8259?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alex Rudyy updated QPID-8259: - Fix Version/s: qpid-java-broker-7.0.7 > [Broker-J] Upgrade Jetty to version 9.4.12.v20180830 > > > Key: QPID-8259 > URL: https://issues.apache.org/jira/browse/QPID-8259 > Project: Qpid > Issue Type: Improvement > Components: Broker-J >Reporter: Alex Rudyy >Assignee: Alex Rudyy >Priority: Major > Fix For: qpid-java-broker-7.1.0, qpid-java-broker-7.0.7 > > > A number of security vulnerabilities have been reported against version in > use. See > [https://www.eclipse.org/jetty/documentation/9.4.x/security-reports.html] > ||/mm/dd||ID ||Exploitable|| Severity|| Affects|| > Fixed Version|| Comment|| > |2018/06/25|CVE-2018-12538|High|High|>= 9.4.0, < = 9.4.8|9.4.9|HttpSessions > present specifically in the FileSystem’s storage could be hijacked/accessed > by an unauthorized user.| > |2018/06/25|CVE-2018-12536|High|See CWE-202|< = 9.4.10|9.2.25, 9.3.24, > 9.4.11|InvalidPathException Message reveals webapp system path.| > |2018/06/25|CVE-2017-7658|See CWE-444|See CWE-444|< = 9.4.10|9.2.25, 9.3.24, > 9.4.11|Too Tolerant Parser, Double Content-Length + Transfer-Encoding + > Whitespace.| > |2018/06/25|CVE-2017-7657|See CWE-444|See CWE-444|< = 9.4.10|9.2.25, 9.3.24, > 9.4.11|HTTP/1.1 Request smuggling with carefully crafted body content (Does > not apply to HTTP/1.0 or HTTP/2).| > |2018/06/25|CVE-2017-7656|See CWE-444|See CWE-444|< = 9.4.10|9.2.25, 9.3.24, > 9.4.11|HTTP Request Smuggling when used with invalid request headers (for > HTTP/0.9).| -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Updated] (QPID-8259) [Broker-J] Upgrade Jetty to version 9.4.12.v20180830
[ https://issues.apache.org/jira/browse/QPID-8259?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alex Rudyy updated QPID-8259: - Status: Reviewable (was: In Progress) > [Broker-J] Upgrade Jetty to version 9.4.12.v20180830 > > > Key: QPID-8259 > URL: https://issues.apache.org/jira/browse/QPID-8259 > Project: Qpid > Issue Type: Improvement > Components: Broker-J >Reporter: Alex Rudyy >Assignee: Alex Rudyy >Priority: Major > Fix For: qpid-java-broker-7.1.0 > > > A number of security vulnerabilities have been reported against version in > use. See > [https://www.eclipse.org/jetty/documentation/9.4.x/security-reports.html] > ||/mm/dd||ID ||Exploitable|| Severity|| Affects|| > Fixed Version|| Comment|| > |2018/06/25|CVE-2018-12538|High|High|>= 9.4.0, < = 9.4.8|9.4.9|HttpSessions > present specifically in the FileSystem’s storage could be hijacked/accessed > by an unauthorized user.| > |2018/06/25|CVE-2018-12536|High|See CWE-202|< = 9.4.10|9.2.25, 9.3.24, > 9.4.11|InvalidPathException Message reveals webapp system path.| > |2018/06/25|CVE-2017-7658|See CWE-444|See CWE-444|< = 9.4.10|9.2.25, 9.3.24, > 9.4.11|Too Tolerant Parser, Double Content-Length + Transfer-Encoding + > Whitespace.| > |2018/06/25|CVE-2017-7657|See CWE-444|See CWE-444|< = 9.4.10|9.2.25, 9.3.24, > 9.4.11|HTTP/1.1 Request smuggling with carefully crafted body content (Does > not apply to HTTP/1.0 or HTTP/2).| > |2018/06/25|CVE-2017-7656|See CWE-444|See CWE-444|< = 9.4.10|9.2.25, 9.3.24, > 9.4.11|HTTP Request Smuggling when used with invalid request headers (for > HTTP/0.9).| -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org