#2061 closed defect (fixed)

I2P and default Jetty installation & Vulnerability time fixation

Reported by: anonymous maybe Owned by: zzz
Priority: minor Milestone: 0.9.33
Component: apps/jetty Version: 0.9.31
Keywords: Cc:
Parent Tickets: Sensitive: no

Description

hi there , as we know that i2p comes up with jetty by default but the problem there are vulnerabilities attacking Jetty which is might also cause I2P in troubles. for example this ticket:-

https://security-tracker.debian.org/tracker/CVE-2017-9735

it says that it has been fixed inside sid and buster but NOT stretch which the stable one.

so according to this situation what should I2P do for this ?

should we stick to eclips releases for debian stable or should we fix that by i2p itself through bringing Jetty 9.2.22-2 and update that by i2p repo ?

how about future thoughts regarding similar to this problem?

another vulnerability u can c it here and fix candidate time not yet applied:-

https://security-tracker.debian.org/tracker/CVE-2009-3579

Subtickets

Change History (3)

comment:1 Changed 20 months ago by anonymous maybe

Priority: minormajor
Summary: I2P and default Jetty installationI2P and default Jetty installation & Vulnerability time fixation

comment:2 Changed 20 months ago by zzz

Milestone: undecided0.9.33
Owner: set to zzz
Priority: majorminor
Status: newaccepted

1) Please don't just find a CVE and panic. Please analyze the CVEs you reference and explain why they are important to I2P users:

  • the first is a password timing attack, few if any i2p users set a password, and it would require a local attacker. This is a very minor issue for us.
  • the second is in sample code only

2) It's not our job to fix issues in other distribution packages. If you are that concerned about it, either run sid or talk to the package maintainer.

3) In our standalone installer we currently bundle Jetty 9.2.21, with a fix that's in 9.2.22. We will probably update to 9.2.22 (or later if available) in our 0.9.33 release.

4) Jetty is a massive and fast-moving project, and every year or two they drop support for an older version, and the new version is incompatible, which causes us no end of misery. Even though we recently switched to 9.2.x, it looks like we'll soon have to move again to 9.4.x. We can't possibly keep up, we will always be behind the latest Jetty release.


Leaving open as a task to update to 9.2.22 for 0.9.33 (and remove our patch), for non-package installs only.

comment:3 Changed 19 months ago by zzz

Resolution: fixed
Status: acceptedclosed

9.2.22 in 0.9.32-2

Note: See TracTickets for help on using tickets.