Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jetty security issue #1189

Closed
GogicM opened this issue Dec 12, 2017 · 3 comments · Fixed by #1200
Closed

Jetty security issue #1189

GogicM opened this issue Dec 12, 2017 · 3 comments · Fixed by #1200
Assignees
@Coduz
Labels
Security This issue/PR has some security critical aspect and should be issued as soon as possible

Comments

@GogicM
Copy link

GogicM commented Dec 12, 2017
edited
Loading

We have found potentialy security risk with jetty version that kapua uses.

**CVE-2017-9735 Detail**
Current Description
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

https://nvd.nist.gov/vuln/detail/CVE-2017-9735
@Coduz Coduz added the Security This issue/PR has some security critical aspect and should be issued as soon as possible label Dec 12, 2017
@Coduz
Copy link
Contributor

Coduz commented Dec 12, 2017

Thank you for the report.
We will try to address this problem as soon as possible.

@ctron
Copy link
Contributor

ctron commented Dec 13, 2017

Please do report security related issues according to the Eclipse Security policy:

https://eclipse.org/security/

@GogicM
Copy link
Author

GogicM commented Dec 14, 2017

Done. :)

@Coduz Coduz mentioned this issue Dec 15, 2017
Merged
@Coduz Coduz mentioned this issue Dec 15, 2017
Closed
@MMaiero MMaiero mentioned this issue Dec 18, 2017
Closed
@stefanomorson stefanomorson assigned Coduz and unassigned lorthirk Dec 18, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Coduz Coduz

Labels
Security This issue/PR has some security critical aspect and should be issued as soon as possible
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bumped Jetty version to 9.4.6.v20170531 - Solves CVE-2017-9735 eclipse-kapua/kapua
4 participants
@ctron @Coduz @lorthirk @GogicM