activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bruce Snyder (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMQ-3693) Upgrade Jetty to address CVE-2011-4461
Date Fri, 10 Feb 2012 05:35:59 GMT

    [ https://issues.apache.org/jira/browse/AMQ-3693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13205249#comment-13205249
] 

Bruce Snyder commented on AMQ-3693:
-----------------------------------

I have determined that the NPE is actually due to the combination of two items: 
# A misconfiguration of Jetty in the jetty.xml file -- normally each web context should have
its own authenticator configured. The way that the three contexts are currently configured
is not correct. I'm still working through this with Greg Wilkins. 
# A bug in Jetty where it should be performing a null check on the security handler for a
given context: 

[https://bugs.eclipse.org/bugs/show_bug.cgi?id=371162]

Greg has already fixed this bug in the Jetty master branch and will included it in the Jetty
7.6.1 release next week. 
                
> Upgrade Jetty to address CVE-2011-4461
> --------------------------------------
>
>                 Key: AMQ-3693
>                 URL: https://issues.apache.org/jira/browse/AMQ-3693
>             Project: ActiveMQ
>          Issue Type: Task
>    Affects Versions: 5.5.1
>            Reporter: Bruce Snyder
>         Attachments: upgrade-jetty.patch
>
>
> Upgrade Jetty to the 7.6.0 release when it becomes final so as to address a DoS vulnerability.
See the [CVE-2011-4461|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4461] for more
information. See also the attached patch for changes. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message