Dev - Nexus
  1. Dev - Nexus
  2. NEXUS-5031

Upgrade to latest Jetty 7.x to solve known denial of service security vulnerabilities

    Details

    • Global Rank:
      24914
    • Story Points:
      1
    • Release Note:
      Yes

      Description

      Upgrading to latest Jetty 7 would eliminate these vulnerabilities.

        Activity

        Peter Lynch created issue -
        Peter Lynch made changes -
        Field Original Value New Value
        Fix Version/s 2.1 [ 12026 ]
        Hide
        Peter Lynch added a comment -

        Note that we have already upgraded master branch (2.1) to Jetty 8 and therefore this issue is to upgrade nexus-2.0.x branches for the 2.0.4 release.

        Show
        Peter Lynch added a comment - Note that we have already upgraded master branch (2.1) to Jetty 8 and therefore this issue is to upgrade nexus-2.0.x branches for the 2.0.4 release.
        Hide
        Jason Dillon added a comment -

        Fix version should be updated the reflect this ^^^

        Show
        Jason Dillon added a comment - Fix version should be updated the reflect this ^^^
        Peter Lynch made changes -
        Fix Version/s 2.0.4 [ 12229 ]
        Peter Lynch made changes -
        Parent NXCM-4061 [ 417597 ]
        Issue Type Bug [ 1 ] Technical task [ 26 ]
        Hide
        Peter Lynch added a comment - - edited

        This seems to involve backporting https://github.com/sonatype/nexus/pull/297/ into nexus-2.0.x branch (from NEXUS-4852) and then bumping jetty version to latest Jetty 7 ( 7.6.2.v20120308 )

        Also requires backporting https://github.com/sonatype/nexus-enterprise/pull/140 as well into nexus-enterprise-2.0.x branch.

        Done this locally but needs a full IT test run at minimum yet to be done.

        Show
        Peter Lynch added a comment - - edited This seems to involve backporting https://github.com/sonatype/nexus/pull/297/ into nexus-2.0.x branch (from NEXUS-4852 ) and then bumping jetty version to latest Jetty 7 ( 7.6.2.v20120308 ) Also requires backporting https://github.com/sonatype/nexus-enterprise/pull/140 as well into nexus-enterprise-2.0.x branch. Done this locally but needs a full IT test run at minimum yet to be done.
        Peter Lynch made changes -
        Status Open [ 1 ] In Progress [ 3 ]
        Peter Lynch made changes -
        Fix Version/s 2.1 [ 12026 ]
        Fix Version/s 2.0.4 [ 12229 ]
        Fix Version/s Iteration 04/05 to 04/12 [ 12235 ]
        Peter Lynch made changes -
        Fix Version/s Iteration 04/12 to 04/26 [ 12321 ]
        Fix Version/s 2.0.4 [ 12229 ]
        Peter Lynch made changes -
        Fix Version/s 2.1 [ 12026 ]
        Hide
        Tamás Cservenák added a comment -
        Show
        Tamás Cservenák added a comment - Related discussion and fix: http://dev.eclipse.org/mhonarc/lists/jetty-users/msg01817.html
        Hide
        Peter Lynch added a comment -

        From stuart:

        There were some test stability fixes that were put in after we moved master to Jetty8 that could also apply to Jetty7:

        https://github.com/sonatype/nexus/pull/304
        https://github.com/sonatype/nexus/pull/310

        But these fixes (apart from the Jetty8 bump) are test specific and therefore don't need to be backported to 2.0.x

        However, make sure you pick up the latest (sisu)plexus-jetty7 that contains a shutdown fix:

        https://github.com/sonatype/nexus/pull/326

        This issue wasn't seen in production, but it could conceivably happen so the version bump is worth backporting

        Show
        Peter Lynch added a comment - From stuart: There were some test stability fixes that were put in after we moved master to Jetty8 that could also apply to Jetty7: https://github.com/sonatype/nexus/pull/304 https://github.com/sonatype/nexus/pull/310 But these fixes (apart from the Jetty8 bump) are test specific and therefore don't need to be backported to 2.0.x However, make sure you pick up the latest (sisu)plexus-jetty7 that contains a shutdown fix: https://github.com/sonatype/nexus/pull/326 This issue wasn't seen in production, but it could conceivably happen so the version bump is worth backporting
        Hide
        Peter Lynch added a comment - - edited

        https://github.com/sonatype/nexus/pull/374
        https://github.com/sonatype/nexus-enterprise/pull/196

        backported all the relevant jetty7 upgrades from master that I could find, plus a few tweaks ( which I may need to forward port). pull 304 was already in nexus-2.0.x, pull 310 was too jetty8 focused and I could not find anything jetty7 to isolate, pull 326 was brought in to fix possible shutdown bug + all the others in my first comment added

        Show
        Peter Lynch added a comment - - edited https://github.com/sonatype/nexus/pull/374 https://github.com/sonatype/nexus-enterprise/pull/196 backported all the relevant jetty7 upgrades from master that I could find, plus a few tweaks ( which I may need to forward port). pull 304 was already in nexus-2.0.x, pull 310 was too jetty8 focused and I could not find anything jetty7 to isolate, pull 326 was brought in to fix possible shutdown bug + all the others in my first comment added
        Peter Lynch made changes -
        Status In Progress [ 3 ] Waiting for Response [ 10013 ]
        Release Note Yes [ 10070 ]
        Peter Lynch made changes -
        Status Waiting for Response [ 10013 ] Open [ 1 ]
        Peter Lynch made changes -
        Status Open [ 1 ] In Progress [ 3 ]
        Peter Lynch made changes -
        Status In Progress [ 3 ] Waiting for Review [ 10014 ]
        Peter Lynch made changes -
        Status Waiting for Review [ 10014 ] To Be Tested [ 10007 ]
        Hide
        Peter Lynch added a comment -

        Ran IT build locally needing grid test

        Show
        Peter Lynch added a comment - Ran IT build locally needing grid test
        Peter Lynch made changes -
        Status To Be Tested [ 10007 ] Testing In Progress [ 10001 ]
        Peter Lynch made changes -
        Assignee Peter Lynch [ plynch ]
        Hide
        Peter Lynch added a comment -

        Have not noticed any problems in testing the staged builds specific to Jetty 7

        Show
        Peter Lynch added a comment - Have not noticed any problems in testing the staged builds specific to Jetty 7
        Peter Lynch made changes -
        Status Testing In Progress [ 10001 ] Closed [ 6 ]
        Resolution Fixed [ 1 ]
        Rich Seddon made changes -
        Parent NXCM-4061 [ 417597 ]
        Issue Type Technical task [ 26 ] User Story [ 6 ]
        Rich Seddon made changes -
        Project Dev - Nexus Pro [ 10060 ] Dev - Nexus - OSS [ 10001 ]
        Key NXCM-4058 NEXUS-5031
        Affects Version/s 2.0.3 [ 12228 ]
        Affects Version/s 2.0.3 [ 12226 ]
        Component/s Security [ 10049 ]
        Component/s Security [ 10040 ]
        Fix Version/s Iteration 04/12 to 04/26 [ 12320 ]
        Fix Version/s 2.0.4 [ 12231 ]
        Fix Version/s 2.1 [ 12028 ]
        Fix Version/s 2.1 [ 12026 ]
        Fix Version/s 2.0.4 [ 12229 ]
        Fix Version/s Iteration 04/12 to 04/26 [ 12321 ]
        Security Sonatype Only [ 10014 ]
        Release Version History Iteration 04/05 to 04/12 [ 12235 ]
        Rich Seddon made changes -
        Description These were revealed by Insight scans:

         [CVE-2011-4461|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4461]
         [osvdb-78117|http://osvdb.org/78117]

        Upgrading to latest Jetty 7 would eliminate these vulnerabilities.



        Upgrading to latest Jetty 7 would eliminate these vulnerabilities.


        Rich Seddon made changes -
        Email
        Issue Type User Story [ 6 ] Improvement [ 4 ]
        Rich Seddon made changes -
        Workflow Agile3 [ 445962 ] Customer Facing Agile [ 467658 ]
        Rich Seddon made changes -
        Workflow Customer Facing Agile [ 467658 ] Customer Facing Agile 2 [ 476023 ]
        Jason Dillon made changes -
        Labels easy

          People

          • Assignee:
            Peter Lynch
            Reporter:
            Peter Lynch
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Date of First Response: