Common Vulnerabilities and Exposures assigned the identifiers CVE-2009-1523 and CVE-2009-1524 to the following vulnerabilities: Name: CVE-2009-1523 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1523 Assigned: 20090505 Reference: CONFIRM: http://jira.codehaus.org/browse/JETTY-1004 Reference: CONFIRM: http://www.kb.cert.org/vuls/id/CRDY-7RKQCY Reference: CERT-VN:VU#402580 Reference: URL: http://www.kb.cert.org/vuls/id/402580 Reference: BID:34800 Reference: URL: http://www.securityfocus.com/bid/34800 Reference: SECUNIA:34975 Reference: URL: http://secunia.com/advisories/34975 Directory traversal vulnerability in the HTTP server in Mort Bay Jetty before 6.1.17, and 7.0.0.M2 and earlier 7.x versions, allows remote attackers to access arbitrary files via directory traversal sequences in the URI. Name: CVE-2009-1524 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1524 Assigned: 20090505 Reference: CONFIRM: http://jira.codehaus.org/browse/JETTY-980 Reference: BID:34800 Reference: URL: http://www.securityfocus.com/bid/34800 Reference: SECUNIA:34975 Reference: URL: http://secunia.com/advisories/34975 Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before 6.1.17 allows remote attackers to inject arbitrary web script or HTML via a directory listing request containing a ; (semicolon) character. Note: it is unclear whether or not this affects jetty 5.x, which is the version that is included in Fedora.
Created attachment 343124 [details] upstream patch to fix CVE-2009-1523 in jetty 6.x Looking at the patch, I believe 5.x would be affected by this as well on a quick first glance. I need to look at it a bit closer, but with some quick grepping, it looks like: Response.java maps to servlet/ServletHttpResponse.java and possibly some duplicate code in servlet/Dispatcher.java. The URIUtil.java maps to util/URI.java (thus changing all URIUtil.* functions to URI.*).
For CVE-2009-1524: Upstream issue description is here: http://jira.codehaus.org/browse/JETTY-980 According to comment from: http://jira.codehaus.org/browse/JETTY-980?focusedCommentId=174717&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#action_174717 patch from: http://jira.codehaus.org/secure/attachment/41486/JETTY-980.patch is not needed and patch for: http://jira.codehaus.org/browse/JETTY-1004 sufficient to fix this issue (otherwise relevant file affected by this issue in jetty-5.1.14 is jetty-5.1.14/src/org/mortbay/util/Resource.java). Provided PoC from http://jira.codehaus.org/browse/JETTY-980 (part "Description" can be used for verification). -- For CVE-2009-1523, the patch and file, which needs to be patched are mentioned in previous comment.
Created attachment 343870 [details] Proposed patch for jetty 5.1.14.
Created attachment 343874 [details] Proposed patch for jetty 5.1.14. Fixed patch.
Jetty 5.1.15 has been released to correct the directory traversal issue (possibly the XSS issue, I'm awaiting confirmation on that since I can't seem to find a relevant CVS repository for Jetty 5.x): http://dist.codehaus.org/jetty/jetty-5.1.x/
CVE-2009-1523 was fixed in the upstream 5.1.15 release. CVE-2009-1524 has not been confirmed in Jetty 5.x by upstream; if it does affect Jetty 5.x it is not fixed. Upstream's mitigation solution for CVE-2009-1524 is to disable directory listings by setting dirAllowed to false in the webdefault.xml file, which we should do in Fedora since this should be only permitted by administrators as they need it, and not as a default anyways.
jetty-5.1.15-3.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/jetty-5.1.15-3.fc9
jetty-5.1.15-3.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/jetty-5.1.15-3.fc10
jetty-5.1.15-4.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/jetty-5.1.15-4.fc11
jetty-5.1.15-3.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
jetty-5.1.15-4.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
jetty-5.1.15-3.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.