Le Fri, 02 Apr 2021 12:37:27 +0200, Léo Le Bouter via Bug reports for GNU Guix a écrit : > CVE-2021-28165 01.04.21 17:15 > In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and > 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a > large invalid TLS frame. > > CVE-2021-28164 01.04.21 17:15 > In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default > compliance mode allows requests with URIs that contain %2e or %2e%2e > segments to access protected resources within the WEB-INF directory. > For example a request to /context/%2e/WEB-INF/web.xml can retrieve the > web.xml file. This can reveal sensitive information regarding the > implementation of a web application. > > CVE-2021-28163 01.04.21 17:15 > In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and > 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a > symlink, the contents of the webapps directory is deployed as a static > webapp, inadvertently serving the webapps themselves and anything else > that might be in that directory. > > The fix is to upgrade to latest version, currently: 9.4.39.v20210325 Hi Guix! attached is a patch for these security issues. I'm not very happy with them, because I had to do many things, but when updating 4 yo packages, it's somewhat expected. The packages now require junit 5 to run the tests, so I had to disable them, and dependencies have changed a bit, with the notable addition of util-ajax. Unfortunately, I cannot update the 9.2.* versions, and jetty-test-classes fails to build, though it's not needed anymore as it's only used during tests. I believe I added these packages initially only because I didn't want users to mistakenly install the 9.2.* versions that were not the latest at the time. We might want to update to jetty 11 or figure out how to build junit 5, which has quite a complex dependency graph, with a few cycles. Thanks Léo for noticing this!