Updating security reports to reference project page

2020-10-13 12:08:57 -05:00 · 2020-10-13 12:08:57 -05:00 · ca5165bd06
parent c37c2c59ab
commit ca5165bd06
3 changed files with 11 additions and 170 deletions
--- a/jetty-documentation/src/main/asciidoc/reference/contributing/chapter.adoc
+++ b/jetty-documentation/src/main/asciidoc/reference/contributing/chapter.adoc
@ -28,6 +28,5 @@ include::source-build.adoc[]
 include::coding-standards.adoc[]
 include::bugs.adoc[]
 include::patches.adoc[]
 include::security.adoc[]
 include::releasing-jetty.adoc[]
 include::release-testing.adoc[]
--- a/jetty-documentation/src/main/asciidoc/reference/contributing/security.adoc
+++ b/jetty-documentation/src/main/asciidoc/reference/contributing/security.adoc
@ -1,32 +0,0 @@
 //
 //  ========================================================================
 //  Copyright (c) 1995-2020 Mort Bay Consulting Pty Ltd and others.
 //  ========================================================================
 //  All rights reserved. This program and the accompanying materials
 //  are made available under the terms of the Eclipse Public License v1.0
 //  and Apache License v2.0 which accompanies this distribution.
 //
 //      The Eclipse Public License is available at
 //      http://www.eclipse.org/legal/epl-v10.html
 //
 //      The Apache License v2.0 is available at
 //      http://www.opensource.org/licenses/apache2.0.php
 //
 //  You may elect to redistribute this code under either of these licenses.
 //  ========================================================================
 //
 [[security-reporting]]
 === Reporting Security Issues
 There are a number of avenues for reporting security issues to the Jetty project available.
 If the issue is directly related to Jetty itself then reporting to the Jetty developers is encouraged.
 The most direct method is to mail _security@webtide.com_.
 Since Webtide is comprised of the active committers of the Jetty project this is our preferred reporting method.
 We are generally flexible in how we work with reporters of security issues but we reserve the right to act in the interests of the Jetty project in all circumstances.
 If the issue is related to Eclipse or its Jetty integration then we encourage you to reach out to _security@eclipse.org_.
 If the issue is related to integrations with Jetty we are happy to work with you to identify the proper entity and either of the approaches above is fine.
 We prefer that security issues are reported directly to Jetty developers as opposed through GitHub Issues since it has no facility to tag issues as _private_.
--- a/jetty-documentation/src/main/asciidoc/reference/troubleshooting/security-reports.adoc
+++ b/jetty-documentation/src/main/asciidoc/reference/troubleshooting/security-reports.adoc
@ -19,147 +19,21 @@
 [[security-reports]]
 === Jetty Security Reports
-The following sections provide information about Jetty security issues.
+==== List of Security Reports
-If you would like to report a security issue please follow these link:#security-reporting[instructions].
+A current list of Jetty security reports can be viewed on the link:https://www.eclipse.org/jetty/security-reports.htmlhttps://www.eclipse.org/jetty/security-reports.html[Project Home Page.]
-.Resolved Issues
+==== Reporting Security Issues
 [width="99%",cols="11%,19%,14%,9%,14%,14%,19%",options="header",]
 |=======================================================================
 |yyyy/mm/dd |ID |Exploitable |Severity |Affects |Fixed Version |Comment
-|2019/08/13 |CVE-2019-9518 |Med |Med |< = 9.4.20 |9.4.21
+There are a number of avenues for reporting security issues to the Jetty project available.
 |https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518[Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service.]
-|2019/08/13 |CVE-2019-9516 |Med |Med |< = 9.4.20 |9.4.21
+If the issue is directly related to Jetty itself then reporting to the Jetty developers is encouraged.
-|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9516[Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service.]
+The most direct method is to mail _security@webtide.com_.
 Since Webtide is comprised of the active committers of the Jetty project this is our preferred reporting method.
 We are generally flexible in how we work with reporters of security issues but we reserve the right to act in the interests of the Jetty project in all circumstances.
-|2019/08/13 |CVE-2019-9515 |Med |Med |< = 9.4.20 |9.4.21
+If the issue is related to Eclipse or its Jetty integration then we encourage you to reach out to _security@eclipse.org_.
 |https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515[Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service when an attacker sent a stream of SETTINGS frames to the peer.]
-|2019/08/13 |CVE-2019-9514 |Med |Med |< = 9.4.20 |9.4.21
+If the issue is related to integrations with Jetty we are happy to work with you to identify the proper entity and either of the approaches above is fine.
 |https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514[Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service.]
-|2019/08/13 |CVE-2019-9512 |Low |Low |< = 9.4.20 |9.4.21
+We prefer that security issues are reported directly to Jetty developers as opposed through GitHub Issues since it currently has *no* facility to tag issues as _private_.
 |https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512[Some HTTP/2 implementations are vulnerable to ping floods which could lead to a denial of service.]
 |2019/08/13 |CVE-2019-9511 |Low |Low |< = 9.4.20 |9.4.21
 |https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511[Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation which could lead to a denial of service.]
 |2019/04/11 |CVE-2019-10247 |Med |Med |< = 9.4.16 |9.2.28, 9.3.27, 9.4.17
 |https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247[If no webapp was mounted to the root namespace and a 404 was encountered, an HTML page would be generated displaying the fully qualified base resource location for each context.]
 |2019/04/11 |CVE-2019-10246 |High |High |< = 9.4.16 |9.2.28, 9.3.27, 9.4.17
 |https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10246[Use of `DefaultServlet` or `ResourceHandler` with indexing was vulnerable to XSS behaviors to expose the directory listing on Windows operating systems.]
 |2019/04/11 |CVE-2019-10241 |High |High |< = 9.4.15 |9.2.27, 9.3.26, 9.4.16
 |https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241[Use of `DefaultServlet` or `ResourceHandler` with indexing was vulnerable to XSS behaviors to expose the directory listing.]
 |2018/06/25 |CVE-2018-12538 |High |High |>= 9.4.0, < = 9.4.8 |9.4.9
 |https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12538[`HttpSessions` present specifically in the FileSystem’s storage could be hijacked/accessed by an unauthorized user.]
 |2018/06/25 |CVE-2018-12536 |High |See https://cwe.mitre.org/data/definitions/209.html[CWE-202] |< = 9.4.10 |9.2.25, 9.3.24, 9.4.11
 |https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12536[`InvalidPathException` Message reveals webapp system path.]
 |2018/06/25 |CVE-2017-7658 |See https://cwe.mitre.org/data/definitions/444.html[CWE-444] |See https://cwe.mitre.org/data/definitions/444.html[CWE-444] |< = 9.4.10 |9.2.25, 9.3.24, 9.4.11
 |https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7658[Too Tolerant Parser, Double Content-Length + Transfer-Encoding + Whitespace.]
 |2018/06/25 |CVE-2017-7657 |See https://cwe.mitre.org/data/definitions/444.html[CWE-444] |See https://cwe.mitre.org/data/definitions/444.html[CWE-444] |< = 9.4.10 |9.2.25, 9.3.24, 9.4.11
 |https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7657[HTTP/1.1 Request smuggling with carefully crafted body content (Does not apply to HTTP/1.0 or HTTP/2).]
 |2018/06/25 |CVE-2017-7656 |See https://cwe.mitre.org/data/definitions/444.html[CWE-444] |See https://cwe.mitre.org/data/definitions/444.html[CWE-444] |< = 9.4.10 |9.2.25, 9.3.24, 9.4.11
 |https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7656[HTTP Request Smuggling when used with invalid request headers (for HTTP/0.9).]
 |2016/05/31 |CVE-2016-4800 |high |high |>= 9.3.0, < = 9.3.8 |9.3.9
 |http://www.ocert.org/advisories/ocert-2016-001.html[Alias vulnerability allowing access to protected resources within a webapp on Windows.]
 |2015/02/24 |http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html[CVE-2015-2080] |high |high |>=9.2.3 <9.2.9 |9.2.9
 |JetLeak exposure of past buffers during HttpParser error
 |2013/11/27 |http://en.securitylab.ru/lab/PT-2013-65[PT-2013-65] |medium
 |high |>=9.0.0 <9.0.5 |9.0.6
 https://bugs.eclipse.org/bugs/show_bug.cgi?id=418014[418014] |Alias checking disabled by NTFS errors on Windows.
 |2013/07/24
 |https://bugs.eclipse.org/bugs/show_bug.cgi?id=413684[413684] |low
 |medium |>=7.6.9 <9.0.5 |7.6.13,8.1.13,9.0.5
 https://bugs.eclipse.org/bugs/show_bug.cgi?id=413684[413684]
 |Constraints bypassed if Unix symlink alias checker used on Windows.
 |2011/12/29
 |http://www.ocert.org/advisories/ocert-2011-003.html[CERT2011-003] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4461[CVE-2011-4461]
 |high |medium |All versions |7.6.0.RCO
 https://bugs.eclipse.org/bugs/show_bug.cgi?id=367638[Jetty-367638]
 |Added ContextHandler.setMaxFormKeys (intkeys) to limit the number of parameters (default 1000).
 |2009/11/05
 |http://www.kb.cert.org/vuls/id/120541[CERT2011-003] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555[CERT2011-003]
 |medium |high |JVM<1.6u19 |jetty-7.01.v20091125, jetty-6.1.22 |Work
 around by turning off SSL renegotiation in Jetty. If using JVM > 1.6u19
 setAllowRenegotiate(true) may be called on connectors.
 |2009/06/18 |Jetty-1042 |low
 |high |< = 6.1.18, < = 7.0.0.M4 |6.1.19, 7.0.0.Rc0 |Cookie leak between
 requests sharing a connection.
 |2009/04/30 |http://www.kb.cert.org/vuls/id/402580[CERT402580] |medium
 |high |< = 6.1.16, < = 7.0.0.M2 a|
 5.1.15, 6.1.18, 7.0.0.M2
 Jetty-1004
 |View arbitrary disk content in some specific configurations.
 |2007/12/22
 |http://www.kb.cert.org/vuls/id/553235[CERT553235] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6672[CVE-2007-6672]
 |high |medium |6.1.rrc0-6.1.6 a|
 6.1.7
 CERT553235
 |Static content visible in WEB-INF and past security constraints.
 |2007/11/05
 |http://www.kb.cert.org/vuls/id/438616[CERT438616] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5614[CVE-2007-5614]
 |low |low |<6.1.6 |6.1.6rc1 (patch in CVS for jetty5) |Single quote in
 cookie name.
 |2007/11/05
 |http://www.kb.cert.org/vuls/id/237888[CERT237888>] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5613[CVE-2007-5613]
 |low |low |<6.1.6 |6.1.6rc0 (patch in CVS for jetty5) |XSS in demo dup
 servlet.
 |2007/11/03 |http://www.kb.cert.org/vuls/id/212984[CERT212984
 >] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5615[CVE-2007-5615]
 |medium |medium |<6.1.6 |6.1.6rc0 (patch in CVS for jetty5) |CRLF
 Response splitting.
 |2006/11/22
 |http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6969[CVE-2006-6969]
 |low |high |<6.1.0, <6.0.2, <5.1.12, <4.2.27 |6.1.0pre3, 6.0.2, 5.1.12,
 4.2.27 |Session ID predictability.
 |2006/06/01
 |http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2759[CVE-2006-2759]
 |medium |medium |<6.0.*, <6.0.0Beta17 |6.0.0Beta17 |JSP source
 visibility.
 |2006/01/05 | |medium |medium |<5.1.10 |5.1.10 |Fixed //security
 constraint bypass on Windows.
 |2005/11/18
 |http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2758[CVE-2006-2758]
 |medium |medium |<5.1.6 |5.1.6, 6.0.0Beta4 |JSP source visibility.
 |2004/02/04 |JSSE 1.0.3_01 |medium |medium |<4.2.7 |4.2.7 |Upgraded JSSE
 to obtain downstream security fix.
 |2002/09/22 | |high |high |<4.1.0 |4.1.0 |Fixed CGI servlet remove
 exploit.
 |2002/03/12 | |medium | |<3.1.7 |4.0.RC2, 3.1.7 |Fixed // security
 constraint bypass.
 |2001/10/21 |medium | |high |<3.1.3 |3.1.3 |Fixed trailing null security
 constraint bypass.
 |=======================================================================