FEDORA-2018-48b73ed393 — security update for jetty

jetty-9.4.11-2.v20180605.fc28

FEDORA-2018-48b73ed393 created by msimacek a year ago for Fedora 28

stable

Update to upstream version 9.4.11. Fixes CVE-2017-7656, CVE-2017-7657, CVE-2017-7658.

How to install

sudo dnf upgrade --advisory=FEDORA-2018-48b73ed393

This update has been submitted for testing by msimacek. a year ago

This update has been pushed to testing. a year ago

lewassec commented a year ago

Hallo @msimacek, in the Jetty CVE-announcement there are two more CVEs:

https://dev.eclipse.org/mhonarc/lists/jetty-dev/msg03191.html - CVE-2018-12536 - CVE-2018-12538 and I understand that Fedora 28 isn't affected by CVE-2018-12538 because of the version used before. But can You confirm that Fedora 27 and 28 are not affected by CVE-2018-12536? Versions affected: EOL releases - 9.2.x and older (all configurations) 9.3.x (all configurations) 9.4.x (all configurations) Thanks

msimacek commented a year ago

I looked at upstream's git and CVE-2018-12536 was only fixed in jetty-9.4.11.v20180605 for the 9.4.x branch. So Fedora 27 and 28 are affected by it and this update fixes it. I don't know why security team did not report CVE-2018-12536

msimacek commented a year ago

Ah, my bad, they reported it, but I somehow missed the bug due to the low priority. Will add it now

msimacek edited this update. a year ago

lewassec commented a year ago

EZ, thanks for the clarification and for taking care! best