Security update for jetty-minimal SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:0940-1 Final 1 1 2021-03-24T11:25:24Z current 2021-03-24T11:25:24Z 2021-03-24T11:25:24Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for jetty-minimal This update for jetty-minimal fixes the following issues: - jetty-minimal was upgraded to version 9.4.38.v20210224 - CVE-2020-27223: Fixed an issue with Accept request header which might have led to Denial of Service (bsc#1182898). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2021-940,SUSE-SLE-Module-Development-Tools-15-SP2-2021-940 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20210940-1/ Link for SUSE-SU-2021:0940-1 https://lists.suse.com/pipermail/sle-security-updates/2021-March/008550.html E-Mail link for SUSE-SU-2021:0940-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1182898 SUSE Bug 1182898 https://www.suse.com/security/cve/CVE-2020-27223/ SUSE CVE CVE-2020-27223 page SUSE Linux Enterprise Module for Development Tools 15 SP2 jetty-annotations-9.4.38-3.6.2 jetty-client-9.4.38-3.6.2 jetty-continuation-9.4.38-3.6.2 jetty-http-9.4.38-3.6.2 jetty-io-9.4.38-3.6.2 jetty-jaas-9.4.38-3.6.2 jetty-javax-websocket-client-impl-9.4.38-3.6.2 jetty-javax-websocket-server-impl-9.4.38-3.6.2 jetty-jmx-9.4.38-3.6.2 jetty-jndi-9.4.38-3.6.2 jetty-jsp-9.4.38-3.6.2 jetty-minimal-javadoc-9.4.38-3.6.2 jetty-openid-9.4.38-3.6.2 jetty-plus-9.4.38-3.6.2 jetty-proxy-9.4.38-3.6.2 jetty-security-9.4.38-3.6.2 jetty-server-9.4.38-3.6.2 jetty-servlet-9.4.38-3.6.2 jetty-util-9.4.38-3.6.2 jetty-util-ajax-9.4.38-3.6.2 jetty-webapp-9.4.38-3.6.2 jetty-websocket-api-9.4.38-3.6.2 jetty-websocket-client-9.4.38-3.6.2 jetty-websocket-common-9.4.38-3.6.2 jetty-websocket-javadoc-9.4.38-3.6.2 jetty-websocket-server-9.4.38-3.6.2 jetty-websocket-servlet-9.4.38-3.6.2 jetty-xml-9.4.38-3.6.2 jetty-http-9.4.38-3.6.2 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 jetty-io-9.4.38-3.6.2 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 jetty-security-9.4.38-3.6.2 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 jetty-server-9.4.38-3.6.2 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 jetty-servlet-9.4.38-3.6.2 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 jetty-util-9.4.38-3.6.2 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 jetty-util-ajax-9.4.38-3.6.2 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values. CVE-2020-27223 SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-http-9.4.38-3.6.2 SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-io-9.4.38-3.6.2 SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-security-9.4.38-3.6.2 SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-server-9.4.38-3.6.2 SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-servlet-9.4.38-3.6.2 SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-util-9.4.38-3.6.2 SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-util-ajax-9.4.38-3.6.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210940-1/ https://www.suse.com/security/cve/CVE-2020-27223.html CVE-2020-27223 https://bugzilla.suse.com/1182898 SUSE Bug 1182898