File _patchinfo of Package patchinfo.31060

<patchinfo incident="31060">
  <issue tracker="cve" id="2023-36479"/>
  <issue tracker="cve" id="2023-40167"/>
  <issue tracker="cve" id="2023-41900"/>
  <issue tracker="cve" id="2023-44487"/>
  <issue tracker="cve" id="2023-36478"/>
  <issue tracker="bnc" id="1215415">VUL-1: CVE-2023-36479: jetty-websocket,jetty-minimal: Errant command quoting in org.eclipse.jetty.servlets.CGI Servlet</issue>
  <issue tracker="bnc" id="1215417">VUL-0: CVE-2023-40167: jetty-minimal,jetty-websocket: accepts "+" prefixed value in Content-Length</issue>
  <issue tracker="bnc" id="1215416">VUL-0: CVE-2023-41900: jetty-websocket,jetty-minimal: OpenId Revoked authentication allows one request</issue>
  <issue tracker="bnc" id="1216169">VUL-0: netty: protect against DDOS caused by RST floods (CVE-2023-44487)</issue>
  <issue tracker="bnc" id="1216162">VUL-0: CVE-2023-36478: jetty-minimal,jetty-websocket: HTTP/2 HPACK integer overflow and buffer allocation</issue>
  <packager>fstrba</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for jetty-minimal</summary>
  <description>This update for jetty-minimal fixes the following issues:

- Updated to version 9.4.53.v20231009:

  - CVE-2023-44487: Fixed a potential denial of service scenario via
    RST frame floods (bsc#1216169).
  - CVE-2023-36478: Fixed an integer overflow in the HTTP/2 HPACK
    decoder (bsc#1216162).
  - CVE-2023-40167: Fixed a permissive HTTP header parsing issue that
    could potentially lead to HTTP smuggling attacks (bsc#1215417).
  - CVE-2023-36479: Fixed an incorrect command execution when sending
    requests with certain characters in requested filenames
    (bsc#1215415).
  - CVE-2023-41900: Fixed an issue where an invalidated session would
    be allowed to perform a single request (bsc#1215416).
</description>
</patchinfo>