File _patchinfo of Package patchinfo.19981

<patchinfo incident="19981">
  <issue tracker="bnc" id="1184366">VUL-0: CVE-2021-28163: jetty-minimal: leak of the contents of the webapps directory when is deployed as a static webapp</issue>
  <issue tracker="bnc" id="1184368">VUL-0: CVE-2021-28164: jetty-minimal: the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory</issue>
  <issue tracker="bnc" id="1184367">VUL-0: CVE-2021-28165: jetty-minimal: CPU usage can reach 100% upon receiving a large invalid TLS frame</issue>
  <issue tracker="bnc" id="1187117">VUL-0: CVE-2021-28169: jetty-minimal: it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory</issue>
  <issue tracker="cve" id="2021-28164"/>
  <issue tracker="cve" id="2021-28169"/>
  <issue tracker="cve" id="2021-28165"/>
  <issue tracker="cve" id="2021-28163"/>
  <packager>fstrba</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for jetty-minimal</summary>
  <description>This update for jetty-minimal fixes the following issues:

Update to version 9.4.42.v20210604

- Fix: bsc#1187117, CVE-2021-28169 - possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory
- Fix: bsc#1184367, CVE-2021-28165 - jetty server high CPU when client send data length &gt; 17408
- Fix: bsc#1184368, CVE-2021-28164 - Normalize ambiguous URIs
- Fix: bsc#1184366, CVE-2021-28163 - Exclude webapps directory from deployment scan
</description>
</patchinfo>