Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] Regarding support required for few vulnerabilities of Jetty
  • From: Apoorva Maheshwari <apoorva.maheshwari@xxxxxxxxxxxx>
  • Date: Thu, 12 Aug 2021 09:40:16 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=paiwi0RsET6n6Sr/w6tgymBrA4B/CEHAdYMBvHNHejw=; b=KqpYIX6nVUBALIScpfMGd9xPK/v78BFUECbHjOAodwox/DU0AEMcQRR+J9KSkw7R92Tir7BMZrslEcih3Y/MI0aUNota437LqgT6qB2E2hB+7xDuTm/QVrcfbSDOg73jC5uuw5MtTfVOzGo7Zbnrnm1ANc+5RqxUIwDdOjEk+AVVkDXcDTz7ghvz5ZlG7LUXmg3Azw7DVruLSDfzrVPXfSlPDkcwGRMKVSbzKQ5VW5+qnhvOFl4xidU086P5XKgLSMMWlUMzVj27QGR78SIlxe/yiK0bLuznYjvUbn66GBrHqamtfcLit6sKioi0lyQmGdBtegvh27aFSJkdgzG/9Q==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oGO/X9jiT4XSgxYipizSlcvI7Gf7ZDKOH1zaVJyCiBPcPFjRakR2H1/sTsrfblEhJ9kWUbKb9d+kxF93aZ2Olfpt/gIVVTVktI+PdfcacQs79cwDEqwdt88TOedTHzO45GgzwvuuY1rbEBOZF8hCbpp4JLLX/YX3Ue/CFiYW7n37WpsQV6p22wwRgd/lasMws3zNdSe/W4+ITqM0x3ERYBpF29/qVrdoeh8xNeGTeZtKk0HgeTTJJl1fS16IiDBWmgGIc2ZmS/e5sT9vCFtPbq+IIsfEpx0HpNDCBuewJmqKq2istUVcWAtdpBcq2o5e+nMwFE95nyi5IwTfnQ+Xlg==
  • Delivered-to: jetty-dev@xxxxxxxxxxx
  • List-archive: <https://www.eclipse.org/mailman/private/jetty-dev/>
  • List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
  • List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>
  • Thread-index: AdeCCoYSITJitqZSSmiou2ldmolKFAAE7dRAAVN1BMAAXMIw0AEQ3AHwAAGgOIAAiWOfoAADx2ng
  • Thread-topic: [jetty-dev] Regarding support required for few vulnerabilities of Jetty

Also as per trail mail reply from your side its written:

 

The CVEs have been fixed, in their appropriate versions.

Jetty 9.x, 10.x, and 11.x all have fixes, the individual CVEs have details on which versions are impacted, and which versions have the fixes.

 

I need a confirmation whether these vulnerabilities fixes will be on java 11 or java 8?

 

Regards,

Apoorva Maheshwari

 

From: Apoorva Maheshwari
Sent: Thursday, August 12, 2021 1:22 PM
To: Joakim Erdfelt <joakim@xxxxxxxxxxx>; Jetty @ Eclipse developer discussion list <jetty-dev@xxxxxxxxxxx>
Subject: RE: [jetty-dev] Regarding support required for few vulnerabilities of Jetty

 

Hello,

 

Thanks for your reply.

 

Actually we are just downloading Eclipse Jar from the below link.

 

https://www.eclipse.org/downloads/download.php?file=/equinox/drops/R-4.10-201812060815/equinox-SDK-4.10.zip

 

We are unable to understand this P2 repository concept.

Kindly provide more info to that.

 

Regards,

Apoorva Maheshwari

From: Joakim Erdfelt <joakim@xxxxxxxxxxx>
Sent: Monday, August 9, 2021 7:46 PM
To: Jetty @ Eclipse developer discussion list <jetty-dev@xxxxxxxxxxx>
Cc: Apoorva Maheshwari <apoorva.maheshwari@xxxxxxxxxxxx>
Subject: Re: [jetty-dev] Regarding support required for few vulnerabilities of Jetty

 

Sending the same question doesn't change the existing answer.

The CVEs have been fixed, in their appropriate versions.

Jetty 9.x, 10.x, and 11.x all have fixes, the individual CVEs have details on which versions are impacted, and which versions have the fixes.

 

The P2 repositories at eclipse.org are for consumption by other Eclipse projects only.

The P2 repositories at eclipse.org are not meant to be used by the general public for your own projects as you are currently doing.

 

We, Eclipse Jetty, do not build the P2 repositories you have found on eclipse.org, those are built by the other Eclipse projects that need/want them for their OSGi needs.

Last we heard, there are about 7 such P2 repositories scattered around eclipse.org with Eclipse Jetty artifacts present in them.

The P2 repositories you have found are always incomplete copies of what Eclipse Jetty distributes, as the other eclipse projects only build and place into their P2 repository the limited set of features and jars that they personally need.

 

If you require Jetty 9.4.x series on a P2 repo, you are expected to build the P2 repositories in your own infrastructure.

 

Note that P2 repositories as a whole are now deprecated and are going away in light of the new Tycho features that can provide P2 like features but from a maven repository.


Joakim Erdfelt / joakim@xxxxxxxxxxx

 

 

On Mon, Aug 9, 2021 at 8:29 AM Apoorva Maheshwari via jetty-dev <jetty-dev@xxxxxxxxxxx> wrote:

Hi Team,

 

In one of our node we are currently using equinox version 4.16 with has jetty version 9.4.29. Latest version available for equinox upgrade is 4.20 which is using jetty 10.0.5 and jetty 10.x has dependency on Java-11. I have attached the current study document with this email. Let me know if you need any information.

 

Please confirm if you can share the fix for these open vulnerabilities as backport?

 

Eclipse Jetty denial of service in jetty-io CVE-2021-28165

 

Jetty Utility Servlets Double Decoding Information Disclosure Vulnerability CVE-2021-28169

 

https://nvd.nist.gov/vuln/detail/CVE-2021-34428    CVE-2021-34428

 

Quick response will be appreciated.

 

Thanks in advance.


Regards,

APOORVA MAHESHWARI  

Sr. Software Engineer
BDGS, R&D
2nd Floor, ASF Insignia - Block B Kings Canyon,
Gwal Pahari, Gurgaon, Haryana 122003, India
Phone: 8860498817
apoorva.maheshwari@xxxxxxxxxxxx
www.ericsson.com

 

_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-dev

Back to the top