Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[epp-dev] How to update jetty in a fork of epp?
  • From: "Homer, Tony" <tony.homer@xxxxxxxxx>
  • Date: Tue, 17 Nov 2020 19:33:11 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NeuU6O0Q1sW4xTDm8xwLS29Toej2UNmllH7+fhOLn3Q=; b=nHXSRRYe4z5tLvb1OzH/eNIvfcSnizRC4epXdq6+oDWc1R+BAbCwcUzfZxXVlSNJcYit8MsvN543C9aU/THJN4MepM4Qh1CeXLbilP7yZIm9DJUQm3eHHVIE5Zgf9vGaf1SUbkLoS+TXBKzVADLHlcCXtyXmniCjkDTf/oOD770nhr52wDQ1Dy63sHaKRhkOusF+tHinKBCKzHXyRvKSwGVJCunXLd8PfTul2gp+suDvKt6U5Cltpk9a6E/Hnb6kYr9YKhYKwcwqVgTtW7QBLm9KS85Pm74CBTm+mpeuku/6Yos/M1z4hGMpiqVU4WY85mesR3+WnqrmZeWKqV9ctQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VNO7ol9Q/qPtVfuG1oFlXZur2ff2zxqxq4MCWzOzxGSJ5fkPPhDSxZ+vtNzwE63K7vHJm0GfY2hgw8l38rQpPEx+jhB9e1lwtGJOz+yLPU4tOu54kPp+ZGSaYdFWj4EIRN1OCQUMuBVLf6oRjx9VsmuWdH6rdluapXG3/0rWbhBFv558OlaVCHbVXaoHfR7CRYlDVcnr1ykAufq5KW/Bz22h2699EviRBJPuSAMaDAdwWfJMOmuXnto/ILCwCcV1U6LpidVDIR5ZJUEtFeFcCRtlX+HywSbSSWr2MCy2vbgV1AqElh7pUVWt5Ne74anDtTOSBAhuDtJ8IXM0ZZihOg==
  • Delivered-to: epp-dev@xxxxxxxxxxx
  • Ironport-sdr: SKKQZ/8UIt9ycqEDipmn6o7MSW99TfKiR4VaU7BsRASWhh+/ig87jzJXOxIL6dCR3oRmpze+Me CrvbtbnR9iKQ==
  • Ironport-sdr: 2s0DiPVt/4O/w8Rakfk21AwGoYdjtftMOA5R2QivAeoz3eqreJz2EbVMDnhEN3raeWbZ9B5xRm Ht1UTW+CVnRQ==
  • List-archive: <https://www.eclipse.org/mailman/private/epp-dev>
  • List-help: <mailto:epp-dev-request@eclipse.org?subject=help>
  • List-subscribe: <https://www.eclipse.org/mailman/listinfo/epp-dev>, <mailto:epp-dev-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://www.eclipse.org/mailman/options/epp-dev>, <mailto:epp-dev-request@eclipse.org?subject=unsubscribe>
  • Thread-index: AQHWvRh8dEkvXxxmeEWMcLc494ZH7Q==
  • Thread-topic: How to update jetty in a fork of epp?
  • User-agent: Microsoft-MacOutlook/16.43.20110804

Eclipse 2020-09 is affected by CVE-2020-27216 via it’s inclusion of Jetty 9.4.31.v20200723.

Here is the Jetty advisory:

https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6#advisory-comment-63053

Here is the CVE:

https://nvd.nist.gov/vuln/detail/CVE-2020-27216

I haven’t yet checked if there is a bug logged for this in Eclipse Bugzilla, but I plan to do so ASAP.

 

I maintain a local fork of epp.packages, primarily for fixing CVEs in Eclipse for C/C++ developers in support of releases that are out of synch with Eclipse SimRel releases.

I do this by inserting a target definition into the build defined in releng/org.eclipse.epp.config/parent/pom.xml.

This let’s me override dependency versions, which are typically the root cause of CVEs.

 

However, in cases like CVE-2020-27216 where the CVE exposure comes from a transitive dependency of an Eclipse feature that EPP.CDT depends on, it’s doesn’t seem like its possible to override the transitive dependency because the upstream Eclipse feature needs a specific version.

In this case, the chain is

CDT depends on Platform, Platform provides Help, Help depends on Jetty 9.4.31

 

When I add Jetty 9.4.34 to my target definition, it is ignored, because the Jetty dependency is resolved via the Help feature.

If I try to force it by adding a restrictTo filter to the Tycho build, I get Missing requirement/Cannot satisfy dependency errors (see below for relevant error example).

 

I have two more ideas for how replace Jetty.

  1. Fork Eclipse Platform so that I can bump the version of Jetty.  This is not a practical solution for me in the timeframe I have available.
  2. Replace the Jetty plugins post-build.  I’m not sure if this will even work, but it’s very ugly and risky.

 

Any suggestions for how to replace Jetty without forking Eclipse Platform or a post-build brute force hack?

 

Thank you.

Tony Homer

 

[INFO] Performing subquery

[INFO] Resolving dependencies of MavenProject: org.eclipse.epp:org.eclipse.epp.package.cpp.feature:4.17.0-SNAPSHOT @ MYBUILDROOT/packages/org.eclipse.epp.package.cpp.feature/pom.xml

[INFO] {osgi.os=linux, osgi.ws=gtk, org.eclipse.update.install.features=true, osgi.arch=x86_64}

[ERROR] Cannot resolve project dependencies:

[ERROR]   Software being installed: org.eclipse.epp.package.cpp.feature.feature.group 4.17.0.qualifier

[ERROR]   Missing requirement: org.eclipse.help.feature.group 2.3.300.v20200902-1800 requires 'org.eclipse.equinox.p2.iu; org.eclipse.jetty.continuation [9.4.31.v20200723,9.4.31.v20200723]' but it could not be found

[ERROR]   Cannot satisfy dependency: org.eclipse.epp.package.cpp.feature.feature.group 4.17.0.qualifier depends on: org.eclipse.equinox.p2.iu; org.eclipse.platform.ide 0.0.0

[ERROR]   Cannot satisfy dependency: org.eclipse.platform.feature.group 4.17.0.v20200902-1800 depends on: org.eclipse.equinox.p2.iu; org.eclipse.help.feature.group [2.3.300.v20200902-1800,2.3.300.v20200902-1800]

[ERROR]   Cannot satisfy dependency: org.eclipse.platform.ide 4.17.0.I20200902-1800 depends on: org.eclipse.equinox.p2.iu; org.eclipse.platform.feature.group [4.17.0.v20200902-1800,4.17.0.v20200902-1800]

[ERROR]

[ERROR] See https://wiki.eclipse.org/Tycho/Dependency_Resolution_Troubleshooting for help.

[ERROR] Cannot resolve dependencies of MavenProject: org.eclipse.epp:org.eclipse.epp.package.cpp.feature:4.17.0-SNAPSHOT @ MYBUILDROOT /packages/org.eclipse.epp.package.cpp.feature/pom.xml: See log for details -> [Help 1]

Back to the top