FEDORA-2018-48b73ed393

security update in Fedora 28 for jetty

Status: stable 9 months ago

This update has been submitted for testing by msimacek.

9 months ago

This update has been pushed to testing.

9 months ago

lewassec 9 months ago

Hallo @msimacek, in the Jetty CVE-announcement there are two more CVEs:

https://dev.eclipse.org/mhonarc/lists/jetty-dev/msg03191.html - CVE-2018-12536 - CVE-2018-12538 and I understand that Fedora 28 isn't affected by CVE-2018-12538 because of the version used before. But can You confirm that Fedora 27 and 28 are not affected by CVE-2018-12536? Versions affected: EOL releases - 9.2.x and older (all configurations) 9.3.x (all configurations) 9.4.x (all configurations) Thanks

msimacek 9 months ago

I looked at upstream's git and CVE-2018-12536 was only fixed in jetty-9.4.11.v20180605 for the 9.4.x branch. So Fedora 27 and 28 are affected by it and this update fixes it. I don't know why security team did not report CVE-2018-12536

msimacek 9 months ago

Ah, my bad, they reported it, but I somehow missed the bug due to the low priority. Will add it now

msimacek edited this update.

9 months ago

lewassec 9 months ago

EZ, thanks for the clarification and for taking care! best

cserpentis 9 months ago

works for me

karma: +1

chr77 9 months ago

Works for me. No regressions noted compared to previous version.

karma: +1

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

9 months ago

This update has been submitted for batched by msimacek.

9 months ago

This update has been submitted for stable by bodhi.

9 months ago

This update has been pushed to stable.

9 months ago

Add Comment & Feedback
Toggle Preview

Comment fields support Fedora-Flavored Markdown. Comments are governed under this privacy policy.

Text fields in Bodhi2 support an enhanced version of markdown. This is a cheat sheet for your reference.

You can do headers by underlining or by prefixing with the # character:

This is an H1
=============

This is an H2
-------------

# This is another H1

## This is another H2

You can do blockquotes using email-style prefixes with the > character:

> This is a quotation
> over many lines
> > and it can be nested(!)

Lists work like you'd expect, by prefixing with any of the *, +, or - characters:

Check out this list:

* This
* is
* a list..

You need a blank line between a paragraph and the start of a list for the renderer to pick up on it.

Emphasis can be added like this:

*italics*
_italics_
**bold**
__bold__

You can save your code references from being misinterpreted as emphasis by surrounding them with backtick characters (`):

Use `the_best_function()` and _not_ that crummy one.

Links look like this:

[text](http://getfedora.org)

..but we also support bare links if you just provide a URL.

You can create code blocks by indenting every line of the block by at least 4 spaces or 1 tab.

Here is a code block:

    for i in range(4):
        print i
    print "done."

You can reference bug reports by simply writing something of the form tracker#ticketid.

This fixes PHP#1234 and Python#2345

... we will automatically generate links to the tickets in the appropriate trackers in place.

The supported bug tracker prefixes are: (these are all case-insensitive)

Fedora, RHBZ and RH (all point to the Red Hat Bugzilla)
GNOME
KDE
PEAR
PHP
Python

And you can refer to other users by prefixing their username with the @ symbol.

Thanks @mattdm!

This will generate a link to their profile, but it won't necessarily send them a notification unless they have a special FMN rule set up to catch it.

Lastly, you can embed inline images with syntax like this:

![Alt text](/path/to/img.jpg)

-1	0	+1	Feedback Guidelines
			Is the update generally functional? (karma) You need to be logged in to add karma!
			#1595620 CVE-2017-7657 jetty: HTTP request smuggling
			#1595621 CVE-2017-7658 jetty: Incorrect header handling
			#1595622 CVE-2017-7656 CVE-2017-7657 CVE-2017-7658 jetty: various flaws [fedora-all]
			#1595639 CVE-2017-7656 jetty: HTTP request smuggling using the range header
			#1597418 CVE-2018-12536 jetty: full server path revealed when using the default Error Handling
			#1597419 CVE-2018-12536 jetty: full server path revealed when using the default Error Handling [fedora-all]

Content Type

RPM

Status

stable

Test Gating

Submitted by

msimacek

Update Type

security

Update Severity

unspecified

Karma

+2
stable threshold: 3
unstable threshold: -3

Autopush

Enabled

Dates

submitted	9 months ago
in testing	9 months ago
in stable	9 months ago
modified	9 months ago

FEDORA-2018-48b73ed393

security update in Fedora 28 for jetty

How to install

Comments 13

Add Comment & Feedback
Toggle Preview

Related Bugs 6

Automated Test Results

FEDORA-2018-48b73ed393

security update in Fedora 28 for jetty

How to install

Comments 13

Add Comment & Feedback Toggle Preview

Related Bugs 6

Automated Test Results

Add Comment & Feedback
Toggle Preview