jetty-annotations-9.4.43-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10878 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z jetty-annotations-9.4.43-1.2 on GA media These are all security issues fixed in the jetty-annotations-9.4.43-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10878 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10878 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2020-27218/ SUSE CVE CVE-2020-27218 page https://www.suse.com/security/cve/CVE-2020-27223/ SUSE CVE CVE-2020-27223 page https://www.suse.com/security/cve/CVE-2021-28163/ SUSE CVE CVE-2021-28163 page https://www.suse.com/security/cve/CVE-2021-28164/ SUSE CVE CVE-2021-28164 page https://www.suse.com/security/cve/CVE-2021-28165/ SUSE CVE CVE-2021-28165 page https://www.suse.com/security/cve/CVE-2021-28169/ SUSE CVE CVE-2021-28169 page https://www.suse.com/security/cve/CVE-2021-34429/ SUSE CVE CVE-2021-34429 page openSUSE Tumbleweed jetty-annotations-9.4.43-1.2 jetty-ant-9.4.43-1.2 jetty-cdi-9.4.43-1.2 jetty-client-9.4.43-1.2 jetty-continuation-9.4.43-1.2 jetty-deploy-9.4.43-1.2 jetty-fcgi-9.4.43-1.2 jetty-http-9.4.43-1.2 jetty-http-spi-9.4.43-1.2 jetty-io-9.4.43-1.2 jetty-jaas-9.4.43-1.2 jetty-jmx-9.4.43-1.2 jetty-jndi-9.4.43-1.2 jetty-jsp-9.4.43-1.2 jetty-minimal-javadoc-9.4.43-1.2 jetty-openid-9.4.43-1.2 jetty-plus-9.4.43-1.2 jetty-proxy-9.4.43-1.2 jetty-quickstart-9.4.43-1.2 jetty-rewrite-9.4.43-1.2 jetty-security-9.4.43-1.2 jetty-server-9.4.43-1.2 jetty-servlet-9.4.43-1.2 jetty-servlets-9.4.43-1.2 jetty-start-9.4.43-1.2 jetty-util-9.4.43-1.2 jetty-util-ajax-9.4.43-1.2 jetty-webapp-9.4.43-1.2 jetty-xml-9.4.43-1.2 jetty-annotations-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-ant-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-cdi-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-client-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-continuation-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-deploy-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-fcgi-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-http-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-http-spi-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-io-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-jaas-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-jmx-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-jndi-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-jsp-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-minimal-javadoc-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-openid-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-plus-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-proxy-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-quickstart-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-rewrite-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-security-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-server-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-servlet-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-servlets-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-start-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-util-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-util-ajax-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-webapp-9.4.43-1.2 as a component of openSUSE Tumbleweed jetty-xml-9.4.43-1.2 as a component of openSUSE Tumbleweed In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request. CVE-2020-27218 openSUSE Tumbleweed:jetty-annotations-9.4.43-1.2 openSUSE Tumbleweed:jetty-ant-9.4.43-1.2 openSUSE Tumbleweed:jetty-cdi-9.4.43-1.2 openSUSE Tumbleweed:jetty-client-9.4.43-1.2 openSUSE Tumbleweed:jetty-continuation-9.4.43-1.2 openSUSE Tumbleweed:jetty-deploy-9.4.43-1.2 openSUSE Tumbleweed:jetty-fcgi-9.4.43-1.2 openSUSE Tumbleweed:jetty-http-9.4.43-1.2 openSUSE Tumbleweed:jetty-http-spi-9.4.43-1.2 openSUSE Tumbleweed:jetty-io-9.4.43-1.2 openSUSE Tumbleweed:jetty-jaas-9.4.43-1.2 openSUSE Tumbleweed:jetty-jmx-9.4.43-1.2 openSUSE Tumbleweed:jetty-jndi-9.4.43-1.2 openSUSE Tumbleweed:jetty-jsp-9.4.43-1.2 openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.43-1.2 openSUSE Tumbleweed:jetty-openid-9.4.43-1.2 openSUSE Tumbleweed:jetty-plus-9.4.43-1.2 openSUSE Tumbleweed:jetty-proxy-9.4.43-1.2 openSUSE Tumbleweed:jetty-quickstart-9.4.43-1.2 openSUSE Tumbleweed:jetty-rewrite-9.4.43-1.2 openSUSE Tumbleweed:jetty-security-9.4.43-1.2 openSUSE Tumbleweed:jetty-server-9.4.43-1.2 openSUSE Tumbleweed:jetty-servlet-9.4.43-1.2 openSUSE Tumbleweed:jetty-servlets-9.4.43-1.2 openSUSE Tumbleweed:jetty-start-9.4.43-1.2 openSUSE Tumbleweed:jetty-util-9.4.43-1.2 openSUSE Tumbleweed:jetty-util-ajax-9.4.43-1.2 openSUSE Tumbleweed:jetty-webapp-9.4.43-1.2 openSUSE Tumbleweed:jetty-xml-9.4.43-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-27218.html CVE-2020-27218 https://bugzilla.suse.com/1179727 SUSE Bug 1179727 In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of "quality" (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values. CVE-2020-27223 openSUSE Tumbleweed:jetty-annotations-9.4.43-1.2 openSUSE Tumbleweed:jetty-ant-9.4.43-1.2 openSUSE Tumbleweed:jetty-cdi-9.4.43-1.2 openSUSE Tumbleweed:jetty-client-9.4.43-1.2 openSUSE Tumbleweed:jetty-continuation-9.4.43-1.2 openSUSE Tumbleweed:jetty-deploy-9.4.43-1.2 openSUSE Tumbleweed:jetty-fcgi-9.4.43-1.2 openSUSE Tumbleweed:jetty-http-9.4.43-1.2 openSUSE Tumbleweed:jetty-http-spi-9.4.43-1.2 openSUSE Tumbleweed:jetty-io-9.4.43-1.2 openSUSE Tumbleweed:jetty-jaas-9.4.43-1.2 openSUSE Tumbleweed:jetty-jmx-9.4.43-1.2 openSUSE Tumbleweed:jetty-jndi-9.4.43-1.2 openSUSE Tumbleweed:jetty-jsp-9.4.43-1.2 openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.43-1.2 openSUSE Tumbleweed:jetty-openid-9.4.43-1.2 openSUSE Tumbleweed:jetty-plus-9.4.43-1.2 openSUSE Tumbleweed:jetty-proxy-9.4.43-1.2 openSUSE Tumbleweed:jetty-quickstart-9.4.43-1.2 openSUSE Tumbleweed:jetty-rewrite-9.4.43-1.2 openSUSE Tumbleweed:jetty-security-9.4.43-1.2 openSUSE Tumbleweed:jetty-server-9.4.43-1.2 openSUSE Tumbleweed:jetty-servlet-9.4.43-1.2 openSUSE Tumbleweed:jetty-servlets-9.4.43-1.2 openSUSE Tumbleweed:jetty-start-9.4.43-1.2 openSUSE Tumbleweed:jetty-util-9.4.43-1.2 openSUSE Tumbleweed:jetty-util-ajax-9.4.43-1.2 openSUSE Tumbleweed:jetty-webapp-9.4.43-1.2 openSUSE Tumbleweed:jetty-xml-9.4.43-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-27223.html CVE-2020-27223 https://bugzilla.suse.com/1182898 SUSE Bug 1182898 In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory. CVE-2021-28163 openSUSE Tumbleweed:jetty-annotations-9.4.43-1.2 openSUSE Tumbleweed:jetty-ant-9.4.43-1.2 openSUSE Tumbleweed:jetty-cdi-9.4.43-1.2 openSUSE Tumbleweed:jetty-client-9.4.43-1.2 openSUSE Tumbleweed:jetty-continuation-9.4.43-1.2 openSUSE Tumbleweed:jetty-deploy-9.4.43-1.2 openSUSE Tumbleweed:jetty-fcgi-9.4.43-1.2 openSUSE Tumbleweed:jetty-http-9.4.43-1.2 openSUSE Tumbleweed:jetty-http-spi-9.4.43-1.2 openSUSE Tumbleweed:jetty-io-9.4.43-1.2 openSUSE Tumbleweed:jetty-jaas-9.4.43-1.2 openSUSE Tumbleweed:jetty-jmx-9.4.43-1.2 openSUSE Tumbleweed:jetty-jndi-9.4.43-1.2 openSUSE Tumbleweed:jetty-jsp-9.4.43-1.2 openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.43-1.2 openSUSE Tumbleweed:jetty-openid-9.4.43-1.2 openSUSE Tumbleweed:jetty-plus-9.4.43-1.2 openSUSE Tumbleweed:jetty-proxy-9.4.43-1.2 openSUSE Tumbleweed:jetty-quickstart-9.4.43-1.2 openSUSE Tumbleweed:jetty-rewrite-9.4.43-1.2 openSUSE Tumbleweed:jetty-security-9.4.43-1.2 openSUSE Tumbleweed:jetty-server-9.4.43-1.2 openSUSE Tumbleweed:jetty-servlet-9.4.43-1.2 openSUSE Tumbleweed:jetty-servlets-9.4.43-1.2 openSUSE Tumbleweed:jetty-start-9.4.43-1.2 openSUSE Tumbleweed:jetty-util-9.4.43-1.2 openSUSE Tumbleweed:jetty-util-ajax-9.4.43-1.2 openSUSE Tumbleweed:jetty-webapp-9.4.43-1.2 openSUSE Tumbleweed:jetty-xml-9.4.43-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-28163.html CVE-2021-28163 https://bugzilla.suse.com/1184366 SUSE Bug 1184366 In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. CVE-2021-28164 openSUSE Tumbleweed:jetty-annotations-9.4.43-1.2 openSUSE Tumbleweed:jetty-ant-9.4.43-1.2 openSUSE Tumbleweed:jetty-cdi-9.4.43-1.2 openSUSE Tumbleweed:jetty-client-9.4.43-1.2 openSUSE Tumbleweed:jetty-continuation-9.4.43-1.2 openSUSE Tumbleweed:jetty-deploy-9.4.43-1.2 openSUSE Tumbleweed:jetty-fcgi-9.4.43-1.2 openSUSE Tumbleweed:jetty-http-9.4.43-1.2 openSUSE Tumbleweed:jetty-http-spi-9.4.43-1.2 openSUSE Tumbleweed:jetty-io-9.4.43-1.2 openSUSE Tumbleweed:jetty-jaas-9.4.43-1.2 openSUSE Tumbleweed:jetty-jmx-9.4.43-1.2 openSUSE Tumbleweed:jetty-jndi-9.4.43-1.2 openSUSE Tumbleweed:jetty-jsp-9.4.43-1.2 openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.43-1.2 openSUSE Tumbleweed:jetty-openid-9.4.43-1.2 openSUSE Tumbleweed:jetty-plus-9.4.43-1.2 openSUSE Tumbleweed:jetty-proxy-9.4.43-1.2 openSUSE Tumbleweed:jetty-quickstart-9.4.43-1.2 openSUSE Tumbleweed:jetty-rewrite-9.4.43-1.2 openSUSE Tumbleweed:jetty-security-9.4.43-1.2 openSUSE Tumbleweed:jetty-server-9.4.43-1.2 openSUSE Tumbleweed:jetty-servlet-9.4.43-1.2 openSUSE Tumbleweed:jetty-servlets-9.4.43-1.2 openSUSE Tumbleweed:jetty-start-9.4.43-1.2 openSUSE Tumbleweed:jetty-util-9.4.43-1.2 openSUSE Tumbleweed:jetty-util-ajax-9.4.43-1.2 openSUSE Tumbleweed:jetty-webapp-9.4.43-1.2 openSUSE Tumbleweed:jetty-xml-9.4.43-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-28164.html CVE-2021-28164 https://bugzilla.suse.com/1184368 SUSE Bug 1184368 https://bugzilla.suse.com/1188438 SUSE Bug 1188438 In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. CVE-2021-28165 openSUSE Tumbleweed:jetty-annotations-9.4.43-1.2 openSUSE Tumbleweed:jetty-ant-9.4.43-1.2 openSUSE Tumbleweed:jetty-cdi-9.4.43-1.2 openSUSE Tumbleweed:jetty-client-9.4.43-1.2 openSUSE Tumbleweed:jetty-continuation-9.4.43-1.2 openSUSE Tumbleweed:jetty-deploy-9.4.43-1.2 openSUSE Tumbleweed:jetty-fcgi-9.4.43-1.2 openSUSE Tumbleweed:jetty-http-9.4.43-1.2 openSUSE Tumbleweed:jetty-http-spi-9.4.43-1.2 openSUSE Tumbleweed:jetty-io-9.4.43-1.2 openSUSE Tumbleweed:jetty-jaas-9.4.43-1.2 openSUSE Tumbleweed:jetty-jmx-9.4.43-1.2 openSUSE Tumbleweed:jetty-jndi-9.4.43-1.2 openSUSE Tumbleweed:jetty-jsp-9.4.43-1.2 openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.43-1.2 openSUSE Tumbleweed:jetty-openid-9.4.43-1.2 openSUSE Tumbleweed:jetty-plus-9.4.43-1.2 openSUSE Tumbleweed:jetty-proxy-9.4.43-1.2 openSUSE Tumbleweed:jetty-quickstart-9.4.43-1.2 openSUSE Tumbleweed:jetty-rewrite-9.4.43-1.2 openSUSE Tumbleweed:jetty-security-9.4.43-1.2 openSUSE Tumbleweed:jetty-server-9.4.43-1.2 openSUSE Tumbleweed:jetty-servlet-9.4.43-1.2 openSUSE Tumbleweed:jetty-servlets-9.4.43-1.2 openSUSE Tumbleweed:jetty-start-9.4.43-1.2 openSUSE Tumbleweed:jetty-util-9.4.43-1.2 openSUSE Tumbleweed:jetty-util-ajax-9.4.43-1.2 openSUSE Tumbleweed:jetty-webapp-9.4.43-1.2 openSUSE Tumbleweed:jetty-xml-9.4.43-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-28165.html CVE-2021-28165 https://bugzilla.suse.com/1184367 SUSE Bug 1184367 For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. CVE-2021-28169 openSUSE Tumbleweed:jetty-annotations-9.4.43-1.2 openSUSE Tumbleweed:jetty-ant-9.4.43-1.2 openSUSE Tumbleweed:jetty-cdi-9.4.43-1.2 openSUSE Tumbleweed:jetty-client-9.4.43-1.2 openSUSE Tumbleweed:jetty-continuation-9.4.43-1.2 openSUSE Tumbleweed:jetty-deploy-9.4.43-1.2 openSUSE Tumbleweed:jetty-fcgi-9.4.43-1.2 openSUSE Tumbleweed:jetty-http-9.4.43-1.2 openSUSE Tumbleweed:jetty-http-spi-9.4.43-1.2 openSUSE Tumbleweed:jetty-io-9.4.43-1.2 openSUSE Tumbleweed:jetty-jaas-9.4.43-1.2 openSUSE Tumbleweed:jetty-jmx-9.4.43-1.2 openSUSE Tumbleweed:jetty-jndi-9.4.43-1.2 openSUSE Tumbleweed:jetty-jsp-9.4.43-1.2 openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.43-1.2 openSUSE Tumbleweed:jetty-openid-9.4.43-1.2 openSUSE Tumbleweed:jetty-plus-9.4.43-1.2 openSUSE Tumbleweed:jetty-proxy-9.4.43-1.2 openSUSE Tumbleweed:jetty-quickstart-9.4.43-1.2 openSUSE Tumbleweed:jetty-rewrite-9.4.43-1.2 openSUSE Tumbleweed:jetty-security-9.4.43-1.2 openSUSE Tumbleweed:jetty-server-9.4.43-1.2 openSUSE Tumbleweed:jetty-servlet-9.4.43-1.2 openSUSE Tumbleweed:jetty-servlets-9.4.43-1.2 openSUSE Tumbleweed:jetty-start-9.4.43-1.2 openSUSE Tumbleweed:jetty-util-9.4.43-1.2 openSUSE Tumbleweed:jetty-util-ajax-9.4.43-1.2 openSUSE Tumbleweed:jetty-webapp-9.4.43-1.2 openSUSE Tumbleweed:jetty-xml-9.4.43-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-28169.html CVE-2021-28169 https://bugzilla.suse.com/1187117 SUSE Bug 1187117 For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5. CVE-2021-34429 openSUSE Tumbleweed:jetty-annotations-9.4.43-1.2 openSUSE Tumbleweed:jetty-ant-9.4.43-1.2 openSUSE Tumbleweed:jetty-cdi-9.4.43-1.2 openSUSE Tumbleweed:jetty-client-9.4.43-1.2 openSUSE Tumbleweed:jetty-continuation-9.4.43-1.2 openSUSE Tumbleweed:jetty-deploy-9.4.43-1.2 openSUSE Tumbleweed:jetty-fcgi-9.4.43-1.2 openSUSE Tumbleweed:jetty-http-9.4.43-1.2 openSUSE Tumbleweed:jetty-http-spi-9.4.43-1.2 openSUSE Tumbleweed:jetty-io-9.4.43-1.2 openSUSE Tumbleweed:jetty-jaas-9.4.43-1.2 openSUSE Tumbleweed:jetty-jmx-9.4.43-1.2 openSUSE Tumbleweed:jetty-jndi-9.4.43-1.2 openSUSE Tumbleweed:jetty-jsp-9.4.43-1.2 openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.43-1.2 openSUSE Tumbleweed:jetty-openid-9.4.43-1.2 openSUSE Tumbleweed:jetty-plus-9.4.43-1.2 openSUSE Tumbleweed:jetty-proxy-9.4.43-1.2 openSUSE Tumbleweed:jetty-quickstart-9.4.43-1.2 openSUSE Tumbleweed:jetty-rewrite-9.4.43-1.2 openSUSE Tumbleweed:jetty-security-9.4.43-1.2 openSUSE Tumbleweed:jetty-server-9.4.43-1.2 openSUSE Tumbleweed:jetty-servlet-9.4.43-1.2 openSUSE Tumbleweed:jetty-servlets-9.4.43-1.2 openSUSE Tumbleweed:jetty-start-9.4.43-1.2 openSUSE Tumbleweed:jetty-util-9.4.43-1.2 openSUSE Tumbleweed:jetty-util-ajax-9.4.43-1.2 openSUSE Tumbleweed:jetty-webapp-9.4.43-1.2 openSUSE Tumbleweed:jetty-xml-9.4.43-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-34429.html CVE-2021-34429 https://bugzilla.suse.com/1188438 SUSE Bug 1188438