Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1595621 - (CVE-2017-7658) CVE-2017-7658 jetty: Incorrect header handling
CVE-2017-7658 jetty: Incorrect header handling
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20180607,repor...
: Security
Depends On: 1642093 1642108 1595622
Blocks: 1595623
  Show dependency treegraph
 
Reported: 2018-06-27 04:40 EDT by Andrej Nemec
Modified: 2018-10-23 11:49 EDT (History)
24 users (show)

See Also:
Fixed In Version: jetty 9.2.25.v20180606, jetty 9.3.24.v20180605, jetty 9.4.11.v20180605
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Andrej Nemec 2018-06-27 04:40:40 EDT 
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Upstream issue:

https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669
Comment 1 Andrej Nemec 2018-06-27 04:41:38 EDT 
Created jetty tracking bugs for this issue:

Affects: fedora-all [bug 1595622]
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.