New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Jetty to address CVE-2017-9735 #2113

Closed
msymons opened this Issue Jul 30, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@msymons
Contributor

msymons commented Jul 30, 2017

Update Jetty version(s) used by Dropwizard in order to address CVE-2017-9735:

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

See:
eclipse/jetty.project/issues/1556

Fixed by

  • jetty-9.4.6.v20170531
  • jetty-9.3.20.v20170531
  • jetty-9.2.22.v20170606

msymons added a commit to msymons/dropwizard that referenced this issue Jul 30, 2017

Update 1.0.x branch jetty to 9.3.20.v20170531
Update Jetty version from 9.3.9.v20160517 to 9.3.20.v20170531 to address CVE-2017-9735 per dropwizard#2113

msymons added a commit to msymons/dropwizard that referenced this issue Jul 30, 2017

Update 1.1.x branch Jetty to 9.4.5.v20170502
Update Jetty version from 9.4.5.v20170502 to 9.4.6.v20170531 to address CVE-2017-9735 per dropwizard#2113

msymons added a commit to msymons/dropwizard that referenced this issue Jul 30, 2017

Update Jetty to 9.4.6.v20170531
Update Jetty version from 9.4.5.v20170502 to jetty-9.4.6.v20170531 to address CVE-2017-9735 per dropwizard#2113

joschi added a commit that referenced this issue Jul 31, 2017

Update 1.0.x branch jetty to 9.3.20.v20170531 (#2116)
Update Jetty version from 9.3.9.v20160517 to 9.3.20.v20170531 to address CVE-2017-9735 per #2113

joschi added a commit that referenced this issue Jul 31, 2017

Update 1.1.x branch Jetty to 9.4.5.v20170502 (#2117)
Update Jetty version from 9.4.5.v20170502 to 9.4.6.v20170531 to address CVE-2017-9735 per #2113
@arteam

This comment has been minimized.

Member

arteam commented Jul 31, 2017

Dropwizard 1.0.9 and 1.1.3 have been released with the correspondending upgrades. Thank you for raising awareness of this issue!

@arteam arteam closed this Jul 31, 2017

sankate pushed a commit to sankate/dropwizard that referenced this issue Nov 21, 2017

Update Jetty to 9.4.6.v20170531
Update Jetty version from 9.4.5.v20170502 to jetty-9.4.6.v20170531 to address CVE-2017-9735 per dropwizard#2113

aaanders added a commit to aaanders/dropwizard that referenced this issue Sep 20, 2018

Update Jetty to 9.4.6.v20170531
Update Jetty version from 9.4.5.v20170502 to jetty-9.4.6.v20170531 to address CVE-2017-9735 per dropwizard#2113
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment