From 7cf09c0a75de6695e91ff506196f4b5227b6b5ed Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Tue, 5 Nov 2024 20:04:39 +0800 Subject: [PATCH] Fix CVE-2024-6762 (cherry picked from commit 67f568f26c313f06108f65fa54970dcd4d32fabb) --- CVE-2024-6762.patch | 60 +++++++++++++++++++++++++++++++++++++++++++++ jetty.spec | 6 ++++- 2 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 CVE-2024-6762.patch diff --git a/CVE-2024-6762.patch b/CVE-2024-6762.patch new file mode 100644 index 0000000..3bae719 --- /dev/null +++ b/CVE-2024-6762.patch @@ -0,0 +1,60 @@ +From c9fb33ab85959921ff3183311587af02772dda89 Mon Sep 17 00:00:00 2001 +From: Lachlan Roberts +Date: Mon, 1 May 2023 14:40:35 +1000 +Subject: [PATCH 1/2] deprecate PushSessionCacheFilter + +Signed-off-by: Lachlan Roberts +--- + .../java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java +index 4fa0ea1028cb..9950dce98bda 100644 +--- a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java ++++ b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java +@@ -41,6 +41,7 @@ + import org.eclipse.jetty.util.log.Log; + import org.eclipse.jetty.util.log.Logger; + ++@Deprecated + public class PushSessionCacheFilter implements Filter + { + private static final String TARGET_ATTR = "PushCacheFilter.target"; + +From 2588cedddca989b6b96e6954ae6e8fc8f3e1c487 Mon Sep 17 00:00:00 2001 +From: Lachlan Roberts +Date: Tue, 2 May 2023 12:02:12 +1000 +Subject: [PATCH 2/2] update javadoc and add log warning message for + PushSessionCacheFilter + +Signed-off-by: Lachlan Roberts +--- + .../eclipse/jetty/servlets/PushSessionCacheFilter.java | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java +index 9950dce98bda..81b85cb2b85e 100644 +--- a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java ++++ b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java +@@ -41,6 +41,9 @@ + import org.eclipse.jetty.util.log.Log; + import org.eclipse.jetty.util.log.Logger; + ++/** ++ * @deprecated no replacement for this deprecated http feature ++ */ + @Deprecated + public class PushSessionCacheFilter implements Filter + { +@@ -50,6 +53,11 @@ public class PushSessionCacheFilter implements Filter + private final ConcurrentMap _cache = new ConcurrentHashMap<>(); + private long _associateDelay = 5000L; + ++ public PushSessionCacheFilter() ++ { ++ LOG.warn(PushSessionCacheFilter.class.getSimpleName() + " is an example class not suitable for production."); ++ } ++ + @Override + public void init(FilterConfig config) throws ServletException + { diff --git a/jetty.spec b/jetty.spec index d816ae2..e542164 100644 --- a/jetty.spec +++ b/jetty.spec @@ -12,7 +12,7 @@ %bcond_with jp_minimal Name: jetty Version: 9.4.16 -Release: 7 +Release: 8 Summary: Java Webserver and Servlet Container License: Apache-2.0 OR EPL-1.0 URL: http://www.eclipse.org/jetty/ @@ -32,6 +32,7 @@ Patch7: CVE-2023-26048.patch Patch8: CVE-2023-26049.patch Patch9: CVE-2023-36479.patch Patch10: CVE-2023-40167.patch +Patch11: CVE-2024-6762.patch BuildRequires: maven-local mvn(javax.servlet:javax.servlet-api) < 4.0.0 BuildRequires: mvn(org.apache.felix:maven-bundle-plugin) @@ -800,6 +801,9 @@ exit 0 %license LICENSE NOTICE.txt LICENSE-MIT %changelog +* Tue Nov 05 2024 yaoxin - 9.4.16-8 +- Fix CVE-2024-6762 + * Tue Oct 15 2024 wangkai <13474090681@163.com> - 9.4.16-7 - Fix CVE-2023-26048,CVE-2023-26049,CVE-2023-36479,CVE-2023-40167 -- Gitee