Return-Path: Delivered-To: apmail-geronimo-user-archive@www.apache.org Received: (qmail 34401 invoked from network); 16 Jan 2008 19:48:19 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 16 Jan 2008 19:48:19 -0000 Received: (qmail 15021 invoked by uid 500); 16 Jan 2008 19:48:08 -0000 Delivered-To: apmail-geronimo-user-archive@geronimo.apache.org Received: (qmail 14458 invoked by uid 500); 16 Jan 2008 19:48:07 -0000 Mailing-List: contact user-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: user@geronimo.apache.org List-Id: Delivered-To: mailing list user@geronimo.apache.org Received: (qmail 14447 invoked by uid 99); 16 Jan 2008 19:48:07 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 16 Jan 2008 11:48:07 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [209.86.89.66] (HELO elasmtp-spurfowl.atl.sa.earthlink.net) (209.86.89.66) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 16 Jan 2008 19:47:41 +0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=WKrRiN6VsNqMKnz7mGkxLMeYfAk8GwoWhT4lcXNXD9OkxtjqoFLB7Deb7BLHPLnF; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP; Received: from [129.33.49.251] (helo=tetra.raleigh.ibm.com) by elasmtp-spurfowl.atl.sa.earthlink.net with asmtp (Exim 4.34) id 1JFEEk-0004gZ-K1 for user@geronimo.apache.org; Wed, 16 Jan 2008 14:47:46 -0500 Message-ID: <478E5F68.7040802@earthlink.net> Date: Wed, 16 Jan 2008 14:47:52 -0500 From: Joe Bohn User-Agent: Thunderbird 2.0.0.9 (Macintosh/20071031) MIME-Version: 1.0 To: user@geronimo.apache.org Subject: Re: [SECURITY] Potential vulnerability in Jetty servlet container References: <478BBC36.40505@earthlink.net> In-Reply-To: <478BBC36.40505@earthlink.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-ELNK-Trace: c408501814fc19611aa676d7e74259b7b3291a7d08dfec79f4595ed6d06da315d7f3e54fc3aceca0350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 129.33.49.251 X-Virus-Checked: Checked by ClamAV on apache.org I've updated this notice with a better location from which to obtain the jetty-6.1.7.jar (see below). Joe Bohn wrote: > The Geronimo project has learned of a security vulnerability in the > Jetty servlet container (6.1.5) included in Geronimo. If you use a > Jetty configuration of Geronimo you may be affected by the vulnerability. > > This vulnerability impacts Jetty configurations of Geronimo 2.0.1 and > 2.0.2. > > For specific information regarding the Jetty vulnerability, see > http://www.kb.cert.org/vuls/id/553235 > > The problem is related to the processing of URLs which contain multiple > consecutive forward slash (/) characters that are handled incorrectly > (for example . http://foo//../bar). > > If your system is susceptible to attacks using such URLs we recommend > that you filter these URLs using an application firewall or reverse > proxy server. > > Alternatively, you can upgrade your Geronimo Jetty server image to > utilize the corrected Jetty 6.1.7 jar: > - Obtain a jetty-6.1.7.jar from http://repo1.maven.org/maven2/org/mortbay/jetty/jetty/6.1.7/jetty-6.1.7.jar > - Stop your Geronimo Jetty server image > - copy jetty-6.1.7.jar to > /repository/org/mortbay/jetty/jetty/6.1.7/jetty-6.1.7.jar > - remove the jetty 6.1.5 jar: > /repository/org/mortbay/jetty/jetty/6.1.5/jetty-6.1.5.jar > - start the Geronimo Jetty server. The server will now be using the > 6.1.7 Jetty jar. > > This vulnerability will be fixed in the next release of Geronimo (2.0.3 > and/or 2.1) which will include Jetty 6.1.7 correcting the vulnerability. > >