Hi When working on adding the OSGi metadata on jetty I noticed that we got a security related RC bug - the exploits are listed in [1]. I have no experience with jetty other than doing a clean up upload or two on it in the past; so I would like some people with more experience with it to lend me a pair of eyeballs. As I understand it most of these exploits are related to the "default" test webapps. I am not sure whether we ship any of them at all in compiled form (at least the webapp dir does not seem to contain any of the files). Here is my understanding of the situation: A) "Dump Servlet" information leak B) "FORM Authentication demo" information leak C) "JSP Dump" reflected XSS D) "Session Dump Servlet" stored XSS - Not enabled/shipped in binary E) "Cookie Dump Servlet" escape sequence injection F) HTTP Content-Length header escape sequence injection - Imported patch from Fedora that fixes these. G) "Cookie Dump Servlet" stored XSS - Unknown. H) WebApp JSP Snoop page XSS - Wrote a patch fixing this - Review appreciated. I did try to pack the new upstream version (since it did fix one of these - [H] If I recall correctly) - but I immediately backed off when the java compiler complained about "\0" (NUL) characters in one of the source files and "catch" blocks without a preceeding try block - that was a tad too broken for my liking. I have committed my changes to the SVN, but I did not mark the bug as closed since I am unsure whether I got them all (particularly A-D and G), though I marked a CVE ID that was fixed by one of the Fedora patches. As for the OSGi metadata; I could use some help with that as well. I cannot figure out how Fedora gets it created when we don't. They do not seem to have any patches adding it[2]; though I admit I know hardly anything about maven - so I would appreciate if anyone with maven experience could tell me what I am looking for or if maven has no part in it at all. Thank you in advance, ~Niels [1] http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt [2] http://cvs.fedoraproject.org/viewvc/rpms/jetty/devel/
Attachment:
signature.asc
Description: OpenPGP digital signature