Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updating security reports to reference project page

This commit is contained in:
Chris Walker 2020-10-13 12:08:57 -05:00
parent c37c2c59ab
commit ca5165bd06
No known key found for this signature in database
GPG Key ID: 422B41E6AAA5A72C
3 changed files with 11 additions and 170 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
jetty-documentation/src/main/asciidoc/reference/contributing/chapter.adoc
View File

@ -28,6 +28,5 @@ include::source-build.adoc[]
include::coding-standards.adoc[]
include::bugs.adoc[]
include::patches.adoc[]
include::security.adoc[]
include::releasing-jetty.adoc[]
include::release-testing.adoc[]

32
jetty-documentation/src/main/asciidoc/reference/contributing/security.adoc
View File

@ -1,32 +0,0 @@
//
// ========================================================================
// Copyright (c) 1995-2020 Mort Bay Consulting Pty Ltd and others.
// ========================================================================
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
[[security-reporting]]
=== Reporting Security Issues
There are a number of avenues for reporting security issues to the Jetty project available.
If the issue is directly related to Jetty itself then reporting to the Jetty developers is encouraged.
The most direct method is to mail _security@webtide.com_.
Since Webtide is comprised of the active committers of the Jetty project this is our preferred reporting method.
We are generally flexible in how we work with reporters of security issues but we reserve the right to act in the interests of the Jetty project in all circumstances.
If the issue is related to Eclipse or its Jetty integration then we encourage you to reach out to _security@eclipse.org_.
If the issue is related to integrations with Jetty we are happy to work with you to identify the proper entity and either of the approaches above is fine.
We prefer that security issues are reported directly to Jetty developers as opposed through GitHub Issues since it has no facility to tag issues as _private_.

148
jetty-documentation/src/main/asciidoc/reference/troubleshooting/security-reports.adoc
View File

@ -19,147 +19,21 @@
[[security-reports]]
=== Jetty Security Reports
The following sections provide information about Jetty security issues.
==== List of Security Reports
If you would like to report a security issue please follow these link:#security-reporting[instructions].
A current list of Jetty security reports can be viewed on the link:https://www.eclipse.org/jetty/security-reports.htmlhttps://www.eclipse.org/jetty/security-reports.html[Project Home Page.]
.Resolved Issues
[width="99%",cols="11%,19%,14%,9%,14%,14%,19%",options="header",]
|=======================================================================
|yyyy/mm/dd |ID |Exploitable |Severity |Affects |Fixed Version |Comment
==== Reporting Security Issues
|2019/08/13 |CVE-2019-9518 |Med |Med |< = 9.4.20 |9.4.21
|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518[Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service.]
There are a number of avenues for reporting security issues to the Jetty project available.
|2019/08/13 |CVE-2019-9516 |Med |Med |< = 9.4.20 |9.4.21
|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9516[Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service.]
If the issue is directly related to Jetty itself then reporting to the Jetty developers is encouraged.
The most direct method is to mail _security@webtide.com_.
Since Webtide is comprised of the active committers of the Jetty project this is our preferred reporting method.
We are generally flexible in how we work with reporters of security issues but we reserve the right to act in the interests of the Jetty project in all circumstances.
|2019/08/13 |CVE-2019-9515 |Med |Med |< = 9.4.20 |9.4.21
|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515[Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service when an attacker sent a stream of SETTINGS frames to the peer.]
If the issue is related to Eclipse or its Jetty integration then we encourage you to reach out to _security@eclipse.org_.
|2019/08/13 |CVE-2019-9514 |Med |Med |< = 9.4.20 |9.4.21
|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514[Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service.]
If the issue is related to integrations with Jetty we are happy to work with you to identify the proper entity and either of the approaches above is fine.
|2019/08/13 |CVE-2019-9512 |Low |Low |< = 9.4.20 |9.4.21
|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512[Some HTTP/2 implementations are vulnerable to ping floods which could lead to a denial of service.]
|2019/08/13 |CVE-2019-9511 |Low |Low |< = 9.4.20 |9.4.21
|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511[Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation which could lead to a denial of service.]
|2019/04/11 |CVE-2019-10247 |Med |Med |< = 9.4.16 |9.2.28, 9.3.27, 9.4.17
|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247[If no webapp was mounted to the root namespace and a 404 was encountered, an HTML page would be generated displaying the fully qualified base resource location for each context.]
|2019/04/11 |CVE-2019-10246 |High |High |< = 9.4.16 |9.2.28, 9.3.27, 9.4.17
|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10246[Use of `DefaultServlet` or `ResourceHandler` with indexing was vulnerable to XSS behaviors to expose the directory listing on Windows operating systems.]
|2019/04/11 |CVE-2019-10241 |High |High |< = 9.4.15 |9.2.27, 9.3.26, 9.4.16
|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241[Use of `DefaultServlet` or `ResourceHandler` with indexing was vulnerable to XSS behaviors to expose the directory listing.]
|2018/06/25 |CVE-2018-12538 |High |High |>= 9.4.0, < = 9.4.8 |9.4.9
|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12538[`HttpSessions` present specifically in the FileSystems storage could be hijacked/accessed by an unauthorized user.]
|2018/06/25 |CVE-2018-12536 |High |See https://cwe.mitre.org/data/definitions/209.html[CWE-202] |< = 9.4.10 |9.2.25, 9.3.24, 9.4.11
|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12536[`InvalidPathException` Message reveals webapp system path.]
|2018/06/25 |CVE-2017-7658 |See https://cwe.mitre.org/data/definitions/444.html[CWE-444] |See https://cwe.mitre.org/data/definitions/444.html[CWE-444] |< = 9.4.10 |9.2.25, 9.3.24, 9.4.11
|https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7658[Too Tolerant Parser, Double Content-Length + Transfer-Encoding + Whitespace.]
|2018/06/25 |CVE-2017-7657 |See https://cwe.mitre.org/data/definitions/444.html[CWE-444] |See https://cwe.mitre.org/data/definitions/444.html[CWE-444] |< = 9.4.10 |9.2.25, 9.3.24, 9.4.11
|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7657[HTTP/1.1 Request smuggling with carefully crafted body content (Does not apply to HTTP/1.0 or HTTP/2).]
|2018/06/25 |CVE-2017-7656 |See https://cwe.mitre.org/data/definitions/444.html[CWE-444] |See https://cwe.mitre.org/data/definitions/444.html[CWE-444] |< = 9.4.10 |9.2.25, 9.3.24, 9.4.11
|https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7656[HTTP Request Smuggling when used with invalid request headers (for HTTP/0.9).]
|2016/05/31 |CVE-2016-4800 |high |high |>= 9.3.0, < = 9.3.8 |9.3.9
|http://www.ocert.org/advisories/ocert-2016-001.html[Alias vulnerability allowing access to protected resources within a webapp on Windows.]
|2015/02/24 |http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html[CVE-2015-2080] |high |high |>=9.2.3 <9.2.9 |9.2.9
|JetLeak exposure of past buffers during HttpParser error
|2013/11/27 |http://en.securitylab.ru/lab/PT-2013-65[PT-2013-65] |medium
|high |>=9.0.0 <9.0.5 |9.0.6
https://bugs.eclipse.org/bugs/show_bug.cgi?id=418014[418014] |Alias checking disabled by NTFS errors on Windows.
|2013/07/24
|https://bugs.eclipse.org/bugs/show_bug.cgi?id=413684[413684] |low
|medium |>=7.6.9 <9.0.5 |7.6.13,8.1.13,9.0.5
https://bugs.eclipse.org/bugs/show_bug.cgi?id=413684[413684]
|Constraints bypassed if Unix symlink alias checker used on Windows.
|2011/12/29
|http://www.ocert.org/advisories/ocert-2011-003.html[CERT2011-003] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4461[CVE-2011-4461]
|high |medium |All versions |7.6.0.RCO
https://bugs.eclipse.org/bugs/show_bug.cgi?id=367638[Jetty-367638]
|Added ContextHandler.setMaxFormKeys (intkeys) to limit the number of parameters (default 1000).
|2009/11/05
|http://www.kb.cert.org/vuls/id/120541[CERT2011-003] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555[CERT2011-003]
|medium |high |JVM<1.6u19 |jetty-7.01.v20091125, jetty-6.1.22 |Work
around by turning off SSL renegotiation in Jetty. If using JVM > 1.6u19
setAllowRenegotiate(true) may be called on connectors.
|2009/06/18 |Jetty-1042 |low
|high |< = 6.1.18, < = 7.0.0.M4 |6.1.19, 7.0.0.Rc0 |Cookie leak between
requests sharing a connection.
|2009/04/30 |http://www.kb.cert.org/vuls/id/402580[CERT402580] |medium
|high |< = 6.1.16, < = 7.0.0.M2 a|
5.1.15, 6.1.18, 7.0.0.M2
Jetty-1004
|View arbitrary disk content in some specific configurations.
|2007/12/22
|http://www.kb.cert.org/vuls/id/553235[CERT553235] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6672[CVE-2007-6672]
|high |medium |6.1.rrc0-6.1.6 a|
6.1.7
CERT553235
|Static content visible in WEB-INF and past security constraints.
|2007/11/05
|http://www.kb.cert.org/vuls/id/438616[CERT438616] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5614[CVE-2007-5614]
|low |low |<6.1.6 |6.1.6rc1 (patch in CVS for jetty5) |Single quote in
cookie name.
|2007/11/05
|http://www.kb.cert.org/vuls/id/237888[CERT237888>] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5613[CVE-2007-5613]
|low |low |<6.1.6 |6.1.6rc0 (patch in CVS for jetty5) |XSS in demo dup
servlet.
|2007/11/03 |http://www.kb.cert.org/vuls/id/212984[CERT212984
>] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5615[CVE-2007-5615]
|medium |medium |<6.1.6 |6.1.6rc0 (patch in CVS for jetty5) |CRLF
Response splitting.
|2006/11/22
|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6969[CVE-2006-6969]
|low |high |<6.1.0, <6.0.2, <5.1.12, <4.2.27 |6.1.0pre3, 6.0.2, 5.1.12,
4.2.27 |Session ID predictability.
|2006/06/01
|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2759[CVE-2006-2759]
|medium |medium |<6.0.*, <6.0.0Beta17 |6.0.0Beta17 |JSP source
visibility.
|2006/01/05 | |medium |medium |<5.1.10 |5.1.10 |Fixed //security
constraint bypass on Windows.
|2005/11/18
|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2758[CVE-2006-2758]
|medium |medium |<5.1.6 |5.1.6, 6.0.0Beta4 |JSP source visibility.
|2004/02/04 |JSSE 1.0.3_01 |medium |medium |<4.2.7 |4.2.7 |Upgraded JSSE
to obtain downstream security fix.
|2002/09/22 | |high |high |<4.1.0 |4.1.0 |Fixed CGI servlet remove
exploit.
|2002/03/12 | |medium | |<3.1.7 |4.0.RC2, 3.1.7 |Fixed // security
constraint bypass.
|2001/10/21 |medium | |high |<3.1.3 |3.1.3 |Fixed trailing null security
constraint bypass.
|=======================================================================
We prefer that security issues are reported directly to Jetty developers as opposed through GitHub Issues since it currently has *no* facility to tag issues as _private_.