activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bruce Snyder (Commented) (JIRA)" <>
Subject [jira] [Commented] (AMQ-3693) Upgrade Jetty to address CVE-2011-4461
Date Fri, 10 Feb 2012 05:35:59 GMT


Bruce Snyder commented on AMQ-3693:

I have determined that the NPE is actually due to the combination of two items: 
# A misconfiguration of Jetty in the jetty.xml file -- normally each web context should have
its own authenticator configured. The way that the three contexts are currently configured
is not correct. I'm still working through this with Greg Wilkins. 
# A bug in Jetty where it should be performing a null check on the security handler for a
given context: 


Greg has already fixed this bug in the Jetty master branch and will included it in the Jetty
7.6.1 release next week. 
> Upgrade Jetty to address CVE-2011-4461
> --------------------------------------
>                 Key: AMQ-3693
>                 URL:
>             Project: ActiveMQ
>          Issue Type: Task
>    Affects Versions: 5.5.1
>            Reporter: Bruce Snyder
>         Attachments: upgrade-jetty.patch
> Upgrade Jetty to the 7.6.0 release when it becomes final so as to address a DoS vulnerability.
See the [CVE-2011-4461|] for more
information. See also the attached patch for changes. 

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


View raw message