Описание
Security update for jetty-minimal
This update for jetty-minimal fixes the following issues:
- jetty-minimal was upgraded to version 9.4.38.v20210224
- CVE-2020-27223: Fixed an issue with Accept request header which might have led to Denial of Service (bsc#1182898).
Список пакетов
SUSE Linux Enterprise Module for Development Tools 15 SP2
jetty-http-9.4.38-3.6.2
jetty-io-9.4.38-3.6.2
jetty-security-9.4.38-3.6.2
jetty-server-9.4.38-3.6.2
jetty-servlet-9.4.38-3.6.2
jetty-util-9.4.38-3.6.2
jetty-util-ajax-9.4.38-3.6.2
Ссылки
- Link for SUSE-SU-2021:0940-1
- E-Mail link for SUSE-SU-2021:0940-1
- SUSE Security Ratings
- SUSE Bug 1182898
- SUSE CVE CVE-2020-27223 page
Описание
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of "quality" (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
Затронутые продукты
SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-http-9.4.38-3.6.2
SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-io-9.4.38-3.6.2
SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-security-9.4.38-3.6.2
SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-server-9.4.38-3.6.2
Ссылки
- CVE-2020-27223
- SUSE Bug 1182898