Community
Participate
Working Groups
Jetty CVE-2021-34429 is being flagged in some user's MAT installation: https://www.eclipse.org/jetty/security_reports.php Eclipse 2021-09 has Jetty 10.0.6 with the fix: https://download.eclipse.org/eclipse/updates/4.21/R-4.21-202109060500/plugins/ It would be good to resolve this CVE by upgrading MAT standalone to Eclipse 2021-09
Sounds a reasonable idea for the next release - we need a new mat-2021-09.target or later file. Is Eclipse Linux PPCLE still available with later releases? Jetty is just used for the help subsystem and listens on localhost so this should just be a possible local vulnerability. Can anything interesting be retrieved from MAT using these URLs?
> Jetty is just used for the help subsystem and listens on localhost so this > should just be a possible local vulnerability. I think you're right but it seems many customers (as in this example) now have security teams that are constantly running vulnerability scan tools which aren't aware of all the subtleties, and it's not always easy for them to get an exception.
I've created files to allow us to build against 2021-12. Build https://ci.eclipse.org/mat/job/tycho-mat-nightly/1246/ used those files (but subsequent builds will revert to 2021-03), and passed the tests. We need to see if this works, and what limitations there are in moving up to this level. We already require Java 11.
With Eclipse 2021-12 the following are the Jetty files: ./plugins/org.eclipse.jetty.io_10.0.6.jar ./plugins/org.eclipse.equinox.http.jetty_3.8.0.v20210414-1616.jar ./plugins/org.eclipse.jetty.util_10.0.6.jar ./plugins/org.eclipse.jetty.servlet_10.0.6.jar ./plugins/org.eclipse.jetty.util.ajax_10.0.6.jar ./plugins/org.eclipse.jetty.http_10.0.6.jar ./plugins/org.eclipse.jetty.security_10.0.6.jar ./plugins/org.eclipse.jetty.server_10.0.6.jar
New Gerrit change created: https://git.eclipse.org/r/c/mat/org.eclipse.mat/+/192842
Gerrit change https://git.eclipse.org/r/c/mat/org.eclipse.mat/+/192842 was merged to [master]. Commit: http://git.eclipse.org/c/mat/org.eclipse.mat.git/commit/?id=a4eff1556ddcdeffb8ebe2a452c05fd8852566a7
Please try the latest snapshot build to see if this problem is fixed.
As a result of this fix, MAT stand-alone is now based on Eclipse 2022-03.
New Gerrit change created: https://git.eclipse.org/r/c/mat/org.eclipse.mat/+/192966
Gerrit change https://git.eclipse.org/r/c/mat/org.eclipse.mat/+/192966 was merged to [master]. Commit: http://git.eclipse.org/c/mat/org.eclipse.mat.git/commit/?id=32120bb5303607892b5a69ceb52da0f8902be293