Update to upstream version 9.4.11. Fixes CVE-2017-7656, CVE-2017-7657, CVE-2017-7658.

How to install

sudo dnf upgrade --advisory=FEDORA-2018-48b73ed393
This update has been submitted for testing by msimacek. a year ago
This update has been pushed to testing. a year ago

Hallo @msimacek, in the Jetty CVE-announcement there are two more CVEs:

https://dev.eclipse.org/mhonarc/lists/jetty-dev/msg03191.html - CVE-2018-12536 - CVE-2018-12538 and I understand that Fedora 28 isn't affected by CVE-2018-12538 because of the version used before. But can You confirm that Fedora 27 and 28 are not affected by CVE-2018-12536? Versions affected: EOL releases - 9.2.x and older (all configurations) 9.3.x (all configurations) 9.4.x (all configurations) Thanks

I looked at upstream's git and CVE-2018-12536 was only fixed in jetty-9.4.11.v20180605 for the 9.4.x branch. So Fedora 27 and 28 are affected by it and this update fixes it. I don't know why security team did not report CVE-2018-12536

Ah, my bad, they reported it, but I somehow missed the bug due to the low priority. Will add it now

msimacek edited this update. a year ago

EZ, thanks for the clarification and for taking care! best

User Icon cserpentis commented & provided feedback a year ago
karma

works for me

User Icon chr77 commented & provided feedback a year ago
karma

Works for me. No regressions noted compared to previous version.

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes a year ago
This update has been submitted for batched by msimacek. a year ago
This update has been submitted for stable by bodhi. a year ago
This update has been pushed to stable. a year ago

Please login to add feedback.

Metadata
Type
security
Karma
2
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Dates
submitted
a year ago
in testing
a year ago
in stable
a year ago
modified
a year ago
BZ#1595620 CVE-2017-7657 jetty: HTTP request smuggling
0
0
BZ#1595621 CVE-2017-7658 jetty: Incorrect header handling
0
0
BZ#1595622 CVE-2017-7656 CVE-2017-7657 CVE-2017-7658 jetty: various flaws [fedora-all]
0
0
BZ#1595639 CVE-2017-7656 jetty: HTTP request smuggling using the range header
0
0
BZ#1597418 CVE-2018-12536 jetty: full server path revealed when using the default Error Handling
0
0
BZ#1597419 CVE-2018-12536 jetty: full server path revealed when using the default Error Handling [fedora-all]
0
0

Automated Test Results