Security update for jetty-minimal
This update for jetty-minimal fixes the following issues:
Update to version 9.4.42.v20210604
- Fix: bsc#1187117, CVE-2021-28169 - possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory
- Fix: bsc#1184367, CVE-2021-28165 - jetty server high CPU when client send data length > 17408
- Fix: bsc#1184368, CVE-2021-28164 - Normalize ambiguous URIs
- Fix: bsc#1184366, CVE-2021-28163 - Exclude webapps directory from deployment scan
This update was imported from the SUSE:SLE-15-SP2:Update update project.
-
Submitted by
Fridrich Strba (fstrba)
Fixed bugs
bnc#1184366
VUL-0: CVE-2021-28163: jetty-minimal: leak of the contents of the webapps directory when is deployed as a static webapp
bnc#1184368
VUL-0: CVE-2021-28164: jetty-minimal: the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory
bnc#1184367
VUL-0: CVE-2021-28165: jetty-minimal: CPU usage can reach 100% upon receiving a large invalid TLS frame
bnc#1187117
VUL-0: CVE-2021-28169: jetty-minimal: it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory
