activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Timothy Bish (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMQ-3693) Upgrade Jetty to address CVE-2011-4461
Date Tue, 07 Feb 2012 14:29:00 GMT

    [ https://issues.apache.org/jira/browse/AMQ-3693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13202421#comment-13202421
] 

Timothy Bish commented on AMQ-3693:
-----------------------------------

Applying the new patch and running locally, access to the AMQ web console produces large numbers
of the following exception on the broker:

{noformat}
WARN | /admin/styles/prettify.css;jsessionid=16o74xc6vb13s1dc6cpufjy8de
java.lang.NullPointerException
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:514)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:227)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1031)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:406)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:965)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:149)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:499)
	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:149)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:111)
	at org.eclipse.jetty.server.Server.handle(Server.java:349)
	at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:449)
	at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:910)
	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:634)
	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:230)
	at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:76)
	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:609)
	at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:45)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:599)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:534)
	at java.lang.Thread.run(Thread.java:662)
{noformat}

                
> Upgrade Jetty to address CVE-2011-4461
> --------------------------------------
>
>                 Key: AMQ-3693
>                 URL: https://issues.apache.org/jira/browse/AMQ-3693
>             Project: ActiveMQ
>          Issue Type: Task
>    Affects Versions: 5.5.1
>            Reporter: Bruce Snyder
>         Attachments: upgrade-jetty.patch
>
>
> Upgrade Jetty to the 7.6.0 release when it becomes final so as to address a DoS vulnerability.
See the [CVE-2011-4461|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4461] for more
information. See also the attached patch for changes. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message