-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 01 Aug 2021 13:52:06 +0200
Source: jetty9
Binary: jetty9 libjetty9-extra-java libjetty9-java
Architecture: all
Version: 9.4.16-0+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: all Build Daemon (x86-grnet-02) <buildd_all-x86-grnet-02@buildd.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 jetty9     - Java servlet engine and webserver
 libjetty9-extra-java - Java servlet engine and webserver -- extra libraries
 libjetty9-java - Java servlet engine and webserver -- core libraries
Changes:
 jetty9 (9.4.16-0+deb10u1) buster-security; urgency=high
 .
   * Team upload.
   * New upstream version 9.4.16.
     - Fix CVE-2019-10241:
       The server is vulnerable to XSS conditions if a remote client USES a
       specially formatted URL against the DefaultServlet or ResourceHandler that
       is configured for showing a Listing of directory contents.
     - Fix CVE-2019-10247:
       The server running on any OS and Jetty version combination will reveal
       the configured fully qualified directory base resource location on the
       output of the 404 error for not finding a Context that matches the
       requested path. The default server behavior on jetty-distribution and
       jetty-home will include at the end of the Handler tree a DefaultHandler,
       which is responsible for reporting this 404 error, it presents the
       various configured contexts as HTML for users to click through to. This
       produced HTML includes output that contains the configured fully
       qualified directory base resource location for each context.
   * Fix CVE-2020-27216:
     On Unix like systems, the system's temporary directory is shared between
     all users on that system. A collocated user can observe the process of
     creating a temporary sub directory in the shared temporary directory and
     race to complete the creation of the temporary subdirectory. If the
     attacker wins the race then they will have read and write permission to the
     subdirectory used to unpack web applications, including their WEB-INF/lib
     jar files and JSP files. If any code is ever executed out of this temporary
     directory, this can lead to a local privilege escalation vulnerability.
   * Fix CVE-2020-27223:
     Jetty handles a request containing multiple Accept headers with a large
     number of “quality” (i.e. q) parameters, the server may enter a denial of
     service (DoS) state due to high CPU usage processing those quality values,
     resulting in minutes of CPU time exhausted processing those quality values.
   * Fix CVE-2020-28165:
     CPU usage can reach 100% upon receiving a large invalid TLS frame.
   * Fix CVE-2020-28169:
     It is possible for requests to the ConcatServlet with a doubly encoded path
     to access protected resources within the WEB-INF directory. For example a
     request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file.
     This can reveal sensitive information regarding the implementation of a web
     application.
   * Fix CVE-2021-34428:
     If an exception is thrown from the SessionListener#sessionDestroyed()
     method, then the session ID is not invalidated in the session ID manager.
     On deployments with clustered sessions and multiple contexts this can
     result in a session not being invalidated. This can result in an
     application used on a shared computer being left logged in.
Checksums-Sha1:
 6ed1c65321e005d4b1ec4b1b0cf2caaff613ac0b 17301 jetty9_9.4.16-0+deb10u1_all-buildd.buildinfo
 ce9298df664b319e083e20804ceca5398c8986b2 264628 jetty9_9.4.16-0+deb10u1_all.deb
 97d8b8c7fb626bcf2ee6b16fd69b36d2e8a4a2f8 1291432 libjetty9-extra-java_9.4.16-0+deb10u1_all.deb
 f376486a8177160f0ed8444bb28716de32d3526b 2634808 libjetty9-java_9.4.16-0+deb10u1_all.deb
Checksums-Sha256:
 0cbaa34e07923896032a7ab103041e649fc1e7fe8aa043839a738737d8de6073 17301 jetty9_9.4.16-0+deb10u1_all-buildd.buildinfo
 6991d3bcfd543485888a58122938dd49fb98669a566015a914ebfee0bdfa1d2a 264628 jetty9_9.4.16-0+deb10u1_all.deb
 d6a76cd4ecca5eb56e8295631ffce7f8a4093ac2e955e2796b9948ab0b29cdfe 1291432 libjetty9-extra-java_9.4.16-0+deb10u1_all.deb
 ed1dd8002e501866aca0b46a6a1b68a2a0ee476ac63d169892d71d3125a6ae90 2634808 libjetty9-java_9.4.16-0+deb10u1_all.deb
Files:
 e0da41e1d96b524c4f9f1f7467426e0c 17301 java optional jetty9_9.4.16-0+deb10u1_all-buildd.buildinfo
 8a8f1218363bc421536b3ced110b34fa 264628 java optional jetty9_9.4.16-0+deb10u1_all.deb
 e54d83ba4903d2ed03216f49714d3f44 1291432 java optional libjetty9-extra-java_9.4.16-0+deb10u1_all.deb
 cc7852e3d476afb569de1adf068ec3a9 2634808 java optional libjetty9-java_9.4.16-0+deb10u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEqQcRQHTGP4qt3opGks26TWZ8cfMFAmEGk5EACgkQks26TWZ8
cfO6OQ/+JkBeAjzv6bNAICYKUTcUPloF2yTH93RCHepGMhvaQ1p/XQVkLf9ZDlaV
MmkwfEV6qBWyMU5FEjew8UZVtkVO+upoAXy+Q4QYpbdzHjasVZPjZ3xcS9JD5OJW
ncLxHGlcvbhr1u/2o+tX7ST120Z9TsuLSpJQcJgScQ7pEaJ3Lj+N1TzzqTf342G9
Q2StZdkDR8e9ufWMvkSx1pGxOPd1QYYZeT4kuubUAZh1NcvM7V8kBeej/ToJsRDr
xOUSjCyxCrVMEPo3mTtsa7Aqf+WMiu87pilvxHoLHTPy7sR/w5mFpXLb1d30/lE/
i5CFzYpkGot+R1w1dypOW0ac4FLFeRWnhWZJpWRqFqhFGPuYE2yZPQ3zcka9dDPK
Vzx5PEH0oATcg8BubjGVg1UF6UjUg++KUjOygdsqyoL3fmL5D78u7VIGO1fMJ2/J
Je+pEL/csvWPGBjLorcpop9lyc4uXGrs2PqC2E9JA0eL5oZfc9SqdZPgGEWbXk3A
4vsPkFoOYgNRXk4Cxpf0Jbgl13ynA3TZfWDHypEe7dksn6oPLSXo0W4lw5REJabn
ePmpxw+b5w8O77scq6GJMuNkVu0nCrkN6L3dFTfBjL/sZHRyfOG5g3Vz9pWKUuNq
//Pr5eupi4oQugjAGrDPbAbqwOqM+IrND3pfNwUAe/BlY+m4Yaw=
=hJLY
-----END PGP SIGNATURE-----