Dev - Nexus
  1. Dev - Nexus
  2. NEXUS-5031

Upgrade to latest Jetty 7.x to solve known denial of service security vulnerabilities

    Details

    • Global Rank:
      24914
    • Story Points:
      1
    • Release Note:
      Yes

      Description

      Upgrading to latest Jetty 7 would eliminate these vulnerabilities.

        Activity

        Hide
        Peter Lynch added a comment -

        Note that we have already upgraded master branch (2.1) to Jetty 8 and therefore this issue is to upgrade nexus-2.0.x branches for the 2.0.4 release.

        Show
        Peter Lynch added a comment - Note that we have already upgraded master branch (2.1) to Jetty 8 and therefore this issue is to upgrade nexus-2.0.x branches for the 2.0.4 release.
        Hide
        Jason Dillon added a comment -

        Fix version should be updated the reflect this ^^^

        Show
        Jason Dillon added a comment - Fix version should be updated the reflect this ^^^
        Hide
        Peter Lynch added a comment - - edited

        This seems to involve backporting https://github.com/sonatype/nexus/pull/297/ into nexus-2.0.x branch (from NEXUS-4852) and then bumping jetty version to latest Jetty 7 ( 7.6.2.v20120308 )

        Also requires backporting https://github.com/sonatype/nexus-enterprise/pull/140 as well into nexus-enterprise-2.0.x branch.

        Done this locally but needs a full IT test run at minimum yet to be done.

        Show
        Peter Lynch added a comment - - edited This seems to involve backporting https://github.com/sonatype/nexus/pull/297/ into nexus-2.0.x branch (from NEXUS-4852 ) and then bumping jetty version to latest Jetty 7 ( 7.6.2.v20120308 ) Also requires backporting https://github.com/sonatype/nexus-enterprise/pull/140 as well into nexus-enterprise-2.0.x branch. Done this locally but needs a full IT test run at minimum yet to be done.
        Hide
        Tamás Cservenák added a comment -
        Show
        Tamás Cservenák added a comment - Related discussion and fix: http://dev.eclipse.org/mhonarc/lists/jetty-users/msg01817.html
        Hide
        Peter Lynch added a comment -

        From stuart:

        There were some test stability fixes that were put in after we moved master to Jetty8 that could also apply to Jetty7:

        https://github.com/sonatype/nexus/pull/304
        https://github.com/sonatype/nexus/pull/310

        But these fixes (apart from the Jetty8 bump) are test specific and therefore don't need to be backported to 2.0.x

        However, make sure you pick up the latest (sisu)plexus-jetty7 that contains a shutdown fix:

        https://github.com/sonatype/nexus/pull/326

        This issue wasn't seen in production, but it could conceivably happen so the version bump is worth backporting

        Show
        Peter Lynch added a comment - From stuart: There were some test stability fixes that were put in after we moved master to Jetty8 that could also apply to Jetty7: https://github.com/sonatype/nexus/pull/304 https://github.com/sonatype/nexus/pull/310 But these fixes (apart from the Jetty8 bump) are test specific and therefore don't need to be backported to 2.0.x However, make sure you pick up the latest (sisu)plexus-jetty7 that contains a shutdown fix: https://github.com/sonatype/nexus/pull/326 This issue wasn't seen in production, but it could conceivably happen so the version bump is worth backporting
        Hide
        Peter Lynch added a comment - - edited

        https://github.com/sonatype/nexus/pull/374
        https://github.com/sonatype/nexus-enterprise/pull/196

        backported all the relevant jetty7 upgrades from master that I could find, plus a few tweaks ( which I may need to forward port). pull 304 was already in nexus-2.0.x, pull 310 was too jetty8 focused and I could not find anything jetty7 to isolate, pull 326 was brought in to fix possible shutdown bug + all the others in my first comment added

        Show
        Peter Lynch added a comment - - edited https://github.com/sonatype/nexus/pull/374 https://github.com/sonatype/nexus-enterprise/pull/196 backported all the relevant jetty7 upgrades from master that I could find, plus a few tweaks ( which I may need to forward port). pull 304 was already in nexus-2.0.x, pull 310 was too jetty8 focused and I could not find anything jetty7 to isolate, pull 326 was brought in to fix possible shutdown bug + all the others in my first comment added
        Hide
        Peter Lynch added a comment -

        Ran IT build locally needing grid test

        Show
        Peter Lynch added a comment - Ran IT build locally needing grid test
        Hide
        Peter Lynch added a comment -

        Have not noticed any problems in testing the staged builds specific to Jetty 7

        Show
        Peter Lynch added a comment - Have not noticed any problems in testing the staged builds specific to Jetty 7

          People

          • Assignee:
            Peter Lynch
            Reporter:
            Peter Lynch
            Last Updated By:
            Jason Dillon
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Date of First Response: