Note regarding Jetty indexing bug
Mathis, Bradley
bmathis at pima.edu
Tue Apr 23 10:22:14 EDT 2019
Thank you for the update Scott.
Brad Mathis
Principal Systems Analyst
Pima Community College
IT - Technical Services
520.206.4826
bmathis at pima.edu
On Tue, Apr 23, 2019 at 5:32 AM Cantor, Scott <cantor.2 at osu.edu> wrote:
> If you're running Jetty this shouldn't be news since they sent it to the
> announce list, but they released patches for a directory indexing bug
> yesterday [1].
>
> We'll be shipping a patched version in the next Windows patch that goes
> out for the embedded version, but we already had indexing disabled in the
> static content handler that's part of that package.
>
> We do *not* automatically disable it for the IdP itself anywhere because
> it's a container-specific thing to do but I've updated the Jetty 9.3 and
> the newly posted 9.4 pages [2][3] with sections on one simple way to do it
> with just a web.xml modification. There are a variety of ways to do it in
> Jetty outlined in their page that would be outside the IdP for those who
> prefer that.
>
> This sort of thing is strictly the responsibility of deployers, but I
> wanted to bring it to people's attention.
>
> -- Scott
>
> [1] https://webtide.com/indexing-listing-vulnerability-in-jetty/
> [2] https://wiki.shibboleth.net/confluence/display/IDP30/Jetty93
> [3] https://wiki.shibboleth.net/confluence/display/IDP30/Jetty94
>
> --
> To unsubscribe from this list send an email to
> announce-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190423/f4586edf/attachment.html>
More information about the users
mailing list