#2061 closed defect (fixed)

I2P and default Jetty installation & Vulnerability time fixation

Reported by: anonymous maybe Owned by: zzz
Priority: minor Milestone: 0.9.33
Component: apps/jetty Version: 0.9.31
Keywords: Cc:
Parent Tickets:

Description

hi there , as we know that i2p comes up with jetty by default but the problem there are vulnerabilities attacking Jetty which is might also cause I2P in troubles. for example this ticket:-

https://security-tracker.debian.org/tracker/CVE-2017-9735

it says that it has been fixed inside sid and buster but NOT stretch which the stable one.

so according to this situation what should I2P do for this ?

should we stick to eclips releases for debian stable or should we fix that by i2p itself through bringing Jetty 9.2.22-2 and update that by i2p repo ?

how about future thoughts regarding similar to this problem?

another vulnerability u can c it here and fix candidate time not yet applied:-

https://security-tracker.debian.org/tracker/CVE-2009-3579

Subtickets

Change History (3)

comment:1 Changed 18 months ago by anonymous maybe

  • Priority changed from minor to major
  • Summary changed from I2P and default Jetty installation to I2P and default Jetty installation & Vulnerability time fixation

comment:2 Changed 18 months ago by zzz

  • Milestone changed from undecided to 0.9.33
  • Owner set to zzz
  • Priority changed from major to minor
  • Status changed from new to accepted

1) Please don't just find a CVE and panic. Please analyze the CVEs you reference and explain why they are important to I2P users:

  • the first is a password timing attack, few if any i2p users set a password, and it would require a local attacker. This is a very minor issue for us.
  • the second is in sample code only

2) It's not our job to fix issues in other distribution packages. If you are that concerned about it, either run sid or talk to the package maintainer.

3) In our standalone installer we currently bundle Jetty 9.2.21, with a fix that's in 9.2.22. We will probably update to 9.2.22 (or later if available) in our 0.9.33 release.

4) Jetty is a massive and fast-moving project, and every year or two they drop support for an older version, and the new version is incompatible, which causes us no end of misery. Even though we recently switched to 9.2.x, it looks like we'll soon have to move again to 9.4.x. We can't possibly keep up, we will always be behind the latest Jetty release.


Leaving open as a task to update to 9.2.22 for 0.9.33 (and remove our patch), for non-package installs only.

comment:3 Changed 17 months ago by zzz

  • Resolution set to fixed
  • Status changed from accepted to closed

9.2.22 in 0.9.32-2

Note: See TracTickets for help on using tickets.