ush.it reported multiple flaws affecting jetty 6.x and 7.x: http://www.ush.it/2009/10/25/jetty-6x-and-7x-multiple-vulnerabilities/ Issues reported include: E) "Cookie Dump Servlet" escape sequence injection (Affected versions: Any) F) Http Content-Length header escape sequence injection (Affected versions: Any) An attacker-supplied input containing special characters may be copied to stack traces printed to jetty log when exception is raised due to some problem with parsing user input (non-numeric Max-Age value in case of demo Cookie servlet (E) or non-numeric Content-Length HTTP header value (F)). When log file is later viewed in a terminal that understands special escape sequences (most graphical terminal emulators), those escape sequences may cause terminal to run an arbitrary command. Upstream bug: http://jira.codehaus.org/browse/JETTY-1129 (no useful info) Upstream commits referencing JETTY-1129: http://fisheye.codehaus.org/changelog/jetty/?cs=5628 http://fisheye.codehaus.org/changelog/jetty/?cs=5631
Created attachment 367294 [details] Local copy of the advisory Downloaded on 2009-11-03 from: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
It's not clear if 5.x versions may be affected by some variant of this problem.
Upstream patches listed above applied to Fedora 12 and rawhide.
This is fixed in upstream 6.1.22 and patched in Fedora 13: * Tue Nov 03 2009 Jeff Johnston 6.1.21-3 - Security issues - Resolves #532675, #5326565 and 6.1.20-5 on Fedora 12.