jetty-annotations-9.4.53-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13329 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z jetty-annotations-9.4.53-1.1 on GA media These are all security issues fixed in the jetty-annotations-9.4.53-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13329 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13329 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-36478/ SUSE CVE CVE-2023-36478 page https://www.suse.com/security/cve/CVE-2023-36479/ SUSE CVE CVE-2023-36479 page https://www.suse.com/security/cve/CVE-2023-40167/ SUSE CVE CVE-2023-40167 page https://www.suse.com/security/cve/CVE-2023-41900/ SUSE CVE CVE-2023-41900 page https://www.suse.com/security/cve/CVE-2023-44487/ SUSE CVE CVE-2023-44487 page openSUSE Tumbleweed jetty-annotations-9.4.53-1.1 jetty-ant-9.4.53-1.1 jetty-cdi-9.4.53-1.1 jetty-client-9.4.53-1.1 jetty-continuation-9.4.53-1.1 jetty-deploy-9.4.53-1.1 jetty-fcgi-9.4.53-1.1 jetty-http-9.4.53-1.1 jetty-http-spi-9.4.53-1.1 jetty-io-9.4.53-1.1 jetty-jaas-9.4.53-1.1 jetty-jmx-9.4.53-1.1 jetty-jndi-9.4.53-1.1 jetty-jsp-9.4.53-1.1 jetty-minimal-javadoc-9.4.53-1.1 jetty-openid-9.4.53-1.1 jetty-plus-9.4.53-1.1 jetty-proxy-9.4.53-1.1 jetty-quickstart-9.4.53-1.1 jetty-rewrite-9.4.53-1.1 jetty-security-9.4.53-1.1 jetty-server-9.4.53-1.1 jetty-servlet-9.4.53-1.1 jetty-servlets-9.4.53-1.1 jetty-start-9.4.53-1.1 jetty-util-9.4.53-1.1 jetty-util-ajax-9.4.53-1.1 jetty-webapp-9.4.53-1.1 jetty-xml-9.4.53-1.1 jetty-annotations-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-ant-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-cdi-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-client-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-continuation-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-deploy-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-fcgi-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-http-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-http-spi-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-io-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-jaas-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-jmx-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-jndi-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-jsp-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-minimal-javadoc-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-openid-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-plus-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-proxy-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-quickstart-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-rewrite-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-security-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-server-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-servlet-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-servlets-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-start-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-util-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-util-ajax-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-webapp-9.4.53-1.1 as a component of openSUSE Tumbleweed jetty-xml-9.4.53-1.1 as a component of openSUSE Tumbleweed Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds. CVE-2023-36478 openSUSE Tumbleweed:jetty-annotations-9.4.53-1.1 openSUSE Tumbleweed:jetty-ant-9.4.53-1.1 openSUSE Tumbleweed:jetty-cdi-9.4.53-1.1 openSUSE Tumbleweed:jetty-client-9.4.53-1.1 openSUSE Tumbleweed:jetty-continuation-9.4.53-1.1 openSUSE Tumbleweed:jetty-deploy-9.4.53-1.1 openSUSE Tumbleweed:jetty-fcgi-9.4.53-1.1 openSUSE Tumbleweed:jetty-http-9.4.53-1.1 openSUSE Tumbleweed:jetty-http-spi-9.4.53-1.1 openSUSE Tumbleweed:jetty-io-9.4.53-1.1 openSUSE Tumbleweed:jetty-jaas-9.4.53-1.1 openSUSE Tumbleweed:jetty-jmx-9.4.53-1.1 openSUSE Tumbleweed:jetty-jndi-9.4.53-1.1 openSUSE Tumbleweed:jetty-jsp-9.4.53-1.1 openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.53-1.1 openSUSE Tumbleweed:jetty-openid-9.4.53-1.1 openSUSE Tumbleweed:jetty-plus-9.4.53-1.1 openSUSE Tumbleweed:jetty-proxy-9.4.53-1.1 openSUSE Tumbleweed:jetty-quickstart-9.4.53-1.1 openSUSE Tumbleweed:jetty-rewrite-9.4.53-1.1 openSUSE Tumbleweed:jetty-security-9.4.53-1.1 openSUSE Tumbleweed:jetty-server-9.4.53-1.1 openSUSE Tumbleweed:jetty-servlet-9.4.53-1.1 openSUSE Tumbleweed:jetty-servlets-9.4.53-1.1 openSUSE Tumbleweed:jetty-start-9.4.53-1.1 openSUSE Tumbleweed:jetty-util-9.4.53-1.1 openSUSE Tumbleweed:jetty-util-ajax-9.4.53-1.1 openSUSE Tumbleweed:jetty-webapp-9.4.53-1.1 openSUSE Tumbleweed:jetty-xml-9.4.53-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-36478.html CVE-2023-36478 https://bugzilla.suse.com/1216162 SUSE Bug 1216162 Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2. CVE-2023-36479 openSUSE Tumbleweed:jetty-annotations-9.4.53-1.1 openSUSE Tumbleweed:jetty-ant-9.4.53-1.1 openSUSE Tumbleweed:jetty-cdi-9.4.53-1.1 openSUSE Tumbleweed:jetty-client-9.4.53-1.1 openSUSE Tumbleweed:jetty-continuation-9.4.53-1.1 openSUSE Tumbleweed:jetty-deploy-9.4.53-1.1 openSUSE Tumbleweed:jetty-fcgi-9.4.53-1.1 openSUSE Tumbleweed:jetty-http-9.4.53-1.1 openSUSE Tumbleweed:jetty-http-spi-9.4.53-1.1 openSUSE Tumbleweed:jetty-io-9.4.53-1.1 openSUSE Tumbleweed:jetty-jaas-9.4.53-1.1 openSUSE Tumbleweed:jetty-jmx-9.4.53-1.1 openSUSE Tumbleweed:jetty-jndi-9.4.53-1.1 openSUSE Tumbleweed:jetty-jsp-9.4.53-1.1 openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.53-1.1 openSUSE Tumbleweed:jetty-openid-9.4.53-1.1 openSUSE Tumbleweed:jetty-plus-9.4.53-1.1 openSUSE Tumbleweed:jetty-proxy-9.4.53-1.1 openSUSE Tumbleweed:jetty-quickstart-9.4.53-1.1 openSUSE Tumbleweed:jetty-rewrite-9.4.53-1.1 openSUSE Tumbleweed:jetty-security-9.4.53-1.1 openSUSE Tumbleweed:jetty-server-9.4.53-1.1 openSUSE Tumbleweed:jetty-servlet-9.4.53-1.1 openSUSE Tumbleweed:jetty-servlets-9.4.53-1.1 openSUSE Tumbleweed:jetty-start-9.4.53-1.1 openSUSE Tumbleweed:jetty-util-9.4.53-1.1 openSUSE Tumbleweed:jetty-util-ajax-9.4.53-1.1 openSUSE Tumbleweed:jetty-webapp-9.4.53-1.1 openSUSE Tumbleweed:jetty-xml-9.4.53-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-36479.html CVE-2023-36479 https://bugzilla.suse.com/1215415 SUSE Bug 1215415 Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario. CVE-2023-40167 openSUSE Tumbleweed:jetty-annotations-9.4.53-1.1 openSUSE Tumbleweed:jetty-ant-9.4.53-1.1 openSUSE Tumbleweed:jetty-cdi-9.4.53-1.1 openSUSE Tumbleweed:jetty-client-9.4.53-1.1 openSUSE Tumbleweed:jetty-continuation-9.4.53-1.1 openSUSE Tumbleweed:jetty-deploy-9.4.53-1.1 openSUSE Tumbleweed:jetty-fcgi-9.4.53-1.1 openSUSE Tumbleweed:jetty-http-9.4.53-1.1 openSUSE Tumbleweed:jetty-http-spi-9.4.53-1.1 openSUSE Tumbleweed:jetty-io-9.4.53-1.1 openSUSE Tumbleweed:jetty-jaas-9.4.53-1.1 openSUSE Tumbleweed:jetty-jmx-9.4.53-1.1 openSUSE Tumbleweed:jetty-jndi-9.4.53-1.1 openSUSE Tumbleweed:jetty-jsp-9.4.53-1.1 openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.53-1.1 openSUSE Tumbleweed:jetty-openid-9.4.53-1.1 openSUSE Tumbleweed:jetty-plus-9.4.53-1.1 openSUSE Tumbleweed:jetty-proxy-9.4.53-1.1 openSUSE Tumbleweed:jetty-quickstart-9.4.53-1.1 openSUSE Tumbleweed:jetty-rewrite-9.4.53-1.1 openSUSE Tumbleweed:jetty-security-9.4.53-1.1 openSUSE Tumbleweed:jetty-server-9.4.53-1.1 openSUSE Tumbleweed:jetty-servlet-9.4.53-1.1 openSUSE Tumbleweed:jetty-servlets-9.4.53-1.1 openSUSE Tumbleweed:jetty-start-9.4.53-1.1 openSUSE Tumbleweed:jetty-util-9.4.53-1.1 openSUSE Tumbleweed:jetty-util-ajax-9.4.53-1.1 openSUSE Tumbleweed:jetty-webapp-9.4.53-1.1 openSUSE Tumbleweed:jetty-xml-9.4.53-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-40167.html CVE-2023-40167 https://bugzilla.suse.com/1215417 SUSE Bug 1215417 Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue. CVE-2023-41900 openSUSE Tumbleweed:jetty-annotations-9.4.53-1.1 openSUSE Tumbleweed:jetty-ant-9.4.53-1.1 openSUSE Tumbleweed:jetty-cdi-9.4.53-1.1 openSUSE Tumbleweed:jetty-client-9.4.53-1.1 openSUSE Tumbleweed:jetty-continuation-9.4.53-1.1 openSUSE Tumbleweed:jetty-deploy-9.4.53-1.1 openSUSE Tumbleweed:jetty-fcgi-9.4.53-1.1 openSUSE Tumbleweed:jetty-http-9.4.53-1.1 openSUSE Tumbleweed:jetty-http-spi-9.4.53-1.1 openSUSE Tumbleweed:jetty-io-9.4.53-1.1 openSUSE Tumbleweed:jetty-jaas-9.4.53-1.1 openSUSE Tumbleweed:jetty-jmx-9.4.53-1.1 openSUSE Tumbleweed:jetty-jndi-9.4.53-1.1 openSUSE Tumbleweed:jetty-jsp-9.4.53-1.1 openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.53-1.1 openSUSE Tumbleweed:jetty-openid-9.4.53-1.1 openSUSE Tumbleweed:jetty-plus-9.4.53-1.1 openSUSE Tumbleweed:jetty-proxy-9.4.53-1.1 openSUSE Tumbleweed:jetty-quickstart-9.4.53-1.1 openSUSE Tumbleweed:jetty-rewrite-9.4.53-1.1 openSUSE Tumbleweed:jetty-security-9.4.53-1.1 openSUSE Tumbleweed:jetty-server-9.4.53-1.1 openSUSE Tumbleweed:jetty-servlet-9.4.53-1.1 openSUSE Tumbleweed:jetty-servlets-9.4.53-1.1 openSUSE Tumbleweed:jetty-start-9.4.53-1.1 openSUSE Tumbleweed:jetty-util-9.4.53-1.1 openSUSE Tumbleweed:jetty-util-ajax-9.4.53-1.1 openSUSE Tumbleweed:jetty-webapp-9.4.53-1.1 openSUSE Tumbleweed:jetty-xml-9.4.53-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-41900.html CVE-2023-41900 https://bugzilla.suse.com/1215416 SUSE Bug 1215416 The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-44487 openSUSE Tumbleweed:jetty-annotations-9.4.53-1.1 openSUSE Tumbleweed:jetty-ant-9.4.53-1.1 openSUSE Tumbleweed:jetty-cdi-9.4.53-1.1 openSUSE Tumbleweed:jetty-client-9.4.53-1.1 openSUSE Tumbleweed:jetty-continuation-9.4.53-1.1 openSUSE Tumbleweed:jetty-deploy-9.4.53-1.1 openSUSE Tumbleweed:jetty-fcgi-9.4.53-1.1 openSUSE Tumbleweed:jetty-http-9.4.53-1.1 openSUSE Tumbleweed:jetty-http-spi-9.4.53-1.1 openSUSE Tumbleweed:jetty-io-9.4.53-1.1 openSUSE Tumbleweed:jetty-jaas-9.4.53-1.1 openSUSE Tumbleweed:jetty-jmx-9.4.53-1.1 openSUSE Tumbleweed:jetty-jndi-9.4.53-1.1 openSUSE Tumbleweed:jetty-jsp-9.4.53-1.1 openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.53-1.1 openSUSE Tumbleweed:jetty-openid-9.4.53-1.1 openSUSE Tumbleweed:jetty-plus-9.4.53-1.1 openSUSE Tumbleweed:jetty-proxy-9.4.53-1.1 openSUSE Tumbleweed:jetty-quickstart-9.4.53-1.1 openSUSE Tumbleweed:jetty-rewrite-9.4.53-1.1 openSUSE Tumbleweed:jetty-security-9.4.53-1.1 openSUSE Tumbleweed:jetty-server-9.4.53-1.1 openSUSE Tumbleweed:jetty-servlet-9.4.53-1.1 openSUSE Tumbleweed:jetty-servlets-9.4.53-1.1 openSUSE Tumbleweed:jetty-start-9.4.53-1.1 openSUSE Tumbleweed:jetty-util-9.4.53-1.1 openSUSE Tumbleweed:jetty-util-ajax-9.4.53-1.1 openSUSE Tumbleweed:jetty-webapp-9.4.53-1.1 openSUSE Tumbleweed:jetty-xml-9.4.53-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-44487.html CVE-2023-44487 https://bugzilla.suse.com/1216109 SUSE Bug 1216109 https://bugzilla.suse.com/1216123 SUSE Bug 1216123 https://bugzilla.suse.com/1216169 SUSE Bug 1216169 https://bugzilla.suse.com/1216171 SUSE Bug 1216171 https://bugzilla.suse.com/1216174 SUSE Bug 1216174 https://bugzilla.suse.com/1216176 SUSE Bug 1216176 https://bugzilla.suse.com/1216181 SUSE Bug 1216181 https://bugzilla.suse.com/1216182 SUSE Bug 1216182 https://bugzilla.suse.com/1216190 SUSE Bug 1216190