CVE-2021-28165 (https://nvd.nist.gov/vuln/detail/CVE-2021-28165): In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. Denial of service vulnerability in bundled Jetty JENKINS-65280 / CVE-2021-28165 Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat. Jenkins 2.285 and earlier, LTS 2.277.2 and earlier bundles Jetty 9.4.38 or earlier with multiple security vulnerabilities, including CVE-2021-28165. This vulnerability may allow unauthenticated attackers to cause a denial of service if Winstone-Jetty is configured to handle SSL/TLS connections. Jenkins LTS 2.277.3 updates the bundled Jetty to 9.4.39. Jetty was already previously updated to 9.4.39 in the 2.286 weekly release
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f9b089d79856e7216911c5aa73650d019c593977 commit f9b089d79856e7216911c5aa73650d019c593977 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2021-04-20 22:09:13 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2021-04-20 22:09:19 +0000 dev-util/jenkins-bin: security cleanup Bug: https://bugs.gentoo.org/784587 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-util/jenkins-bin/Manifest | 2 -- dev-util/jenkins-bin/jenkins-bin-2.277.2.ebuild | 45 ------------------------- dev-util/jenkins-bin/jenkins-bin-2.287.ebuild | 45 ------------------------- 3 files changed, 92 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0e123fa867fd6ef28d2bc61a44f97fbb37a806ed commit 0e123fa867fd6ef28d2bc61a44f97fbb37a806ed Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2021-04-20 22:08:48 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2021-04-20 22:09:19 +0000 dev-util/jenkins-bin: bump to v2.289 Bug: https://bugs.gentoo.org/784587 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-util/jenkins-bin/Manifest | 1 + dev-util/jenkins-bin/jenkins-bin-2.289.ebuild | 45 +++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=face99006ace7e7ea6565f761931fe9ec9be6668 commit face99006ace7e7ea6565f761931fe9ec9be6668 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2021-04-20 22:07:06 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2021-04-20 22:09:18 +0000 dev-util/jenkins-bin: bump to v2.277.3 (LTS) Bug: https://bugs.gentoo.org/784587 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-util/jenkins-bin/Manifest | 1 + dev-util/jenkins-bin/jenkins-bin-2.277.3.ebuild | 45 +++++++++++++++++++++++++ 2 files changed, 46 insertions(+)
Repository is clean, all done.
