FEDORA-2018-48b73ed393

security update in Fedora 28 for jetty

Status: stable 9 months ago

Update to upstream version 9.4.11. Fixes CVE-2017-7656, CVE-2017-7657, CVE-2017-7658.

How to install

sudo dnf upgrade --advisory=FEDORA-2018-48b73ed393

Comments 13

This update has been submitted for testing by msimacek.

This update has been pushed to testing.

Hallo @msimacek, in the Jetty CVE-announcement there are two more CVEs:

https://dev.eclipse.org/mhonarc/lists/jetty-dev/msg03191.html - CVE-2018-12536 - CVE-2018-12538 and I understand that Fedora 28 isn't affected by CVE-2018-12538 because of the version used before. But can You confirm that Fedora 27 and 28 are not affected by CVE-2018-12536? Versions affected: EOL releases - 9.2.x and older (all configurations) 9.3.x (all configurations) 9.4.x (all configurations) Thanks

I looked at upstream's git and CVE-2018-12536 was only fixed in jetty-9.4.11.v20180605 for the 9.4.x branch. So Fedora 27 and 28 are affected by it and this update fixes it. I don't know why security team did not report CVE-2018-12536

Ah, my bad, they reported it, but I somehow missed the bug due to the low priority. Will add it now

msimacek edited this update.

EZ, thanks for the clarification and for taking care! best

works for me

karma: +1

Works for me. No regressions noted compared to previous version.

karma: +1

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

This update has been submitted for batched by msimacek.

This update has been submitted for stable by bodhi.

This update has been pushed to stable.


Add Comment & Feedback
Toggle Preview

Comment fields support Fedora-Flavored Markdown. Comments are governed under this privacy policy.

-1 0 +1 Feedback Guidelines

Is the update generally functional? (karma)

You need to be logged in to add karma!

#1595620 CVE-2017-7657 jetty: HTTP request smuggling
#1595621 CVE-2017-7658 jetty: Incorrect header handling
#1595622 CVE-2017-7656 CVE-2017-7657 CVE-2017-7658 jetty: various flaws [fedora-all]
#1595639 CVE-2017-7656 jetty: HTTP request smuggling using the range header
#1597418 CVE-2018-12536 jetty: full server path revealed when using the default Error Handling
#1597419 CVE-2018-12536 jetty: full server path revealed when using the default Error Handling [fedora-all]
Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
unspecified
Karma
+2
stable threshold: 3
unstable threshold: -3
Autopush
Enabled
Dates
submitted 9 months ago
in testing 9 months ago
in stable 9 months ago
modified 9 months ago

Related Bugs 6

00 #1595620 CVE-2017-7657 jetty: HTTP request smuggling
00 #1595621 CVE-2017-7658 jetty: Incorrect header handling
00 #1595622 CVE-2017-7656 CVE-2017-7657 CVE-2017-7658 jetty: various flaws [fedora-all]
00 #1595639 CVE-2017-7656 jetty: HTTP request smuggling using the range header
00 #1597418 CVE-2018-12536 jetty: full server path revealed when using the default Error Handling
00 #1597419 CVE-2018-12536 jetty: full server path revealed when using the default Error Handling [fedora-all]

Automated Test Results