[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [jetty-dev] jetty-dev Digest, Vol 37, Issue 20
|
hi Greg,
Thanx for the information. Can you please tell me exactly which Jetty 6 version contains that fix for DOS attack
regards
Prakash
On Wed, Mar 28, 2012 at 9:30 PM,
<jetty-dev-request@xxxxxxxxxxx> wrote:
Send jetty-dev mailing list submissions to
jetty-dev@xxxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev
or, via email, send a message with subject or body 'help' to
jetty-dev-request@xxxxxxxxxxx
You can reach the person managing the list at
jetty-dev-owner@xxxxxxxxxxx
When replying, please edit your Subject line so it is more specific
than "Re: Contents of jetty-dev digest..."
Today's Topics:
1. Jetty Version having fix for Denial of Service
(https://bugzilla.redhat.com/show_bug.cgi?id=781677) (prakash mallick)
2. Re: Jetty Version having fix for Denial of Service
(https://bugzilla.redhat.com/show_bug.cgi?id=781677) (Greg Wilkins)
3. SPDY window size update, a bug? (Will)
4. Re: SPDY window size update, a bug? (Simone Bordet)
5. Re: SPDY window size update, a bug? (Simone Bordet)
----------------------------------------------------------------------
Message: 1
Date: Tue, 27 Mar 2012 21:43:34 +0530
From: prakash mallick <pcmallick@xxxxxxxxx>
To: jetty-dev@xxxxxxxxxxx
Subject: [jetty-dev] Jetty Version having fix for Denial of Service
(https://bugzilla.redhat.com/show_bug.cgi?id=781677)
Message-ID:
<CAGExC+mhZEouVC=5+duDmNMRxer3nuBM7WyyuvY8gk5cp29LPg@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"
Hi All,
We are using Jetty version Jetty-5.1.14 binary, can anybody please
tell me if we can have an immediate version w.r.t 5.1.14 having fix for
https://bugzilla.redhat.com/show_bug.cgi?id=781677 .
Thanks and Regards,
Prakash
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dev.eclipse.org/mailman/private/jetty-dev/attachments/20120327/debf6916/attachment.htm>
------------------------------
Message: 2
Date: Wed, 28 Mar 2012 09:37:09 +1100
From: Greg Wilkins <gregw@xxxxxxxxxxx>
To: "Jetty @ Eclipse developer discussion list"
<jetty-dev@xxxxxxxxxxx>
Subject: Re: [jetty-dev] Jetty Version having fix for Denial of
Service (https://bugzilla.redhat.com/show_bug.cgi?id=781677)
Message-ID:
<CAH_y2NHZPrqat+GXxSWcbPTyNcDJpG4hcLN7hFFdxcBxqJmRnw@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"
Prakash,
Jetty-5 is no longer a supported/developed release. There are fixes
available for jetty 6, 7 and 8. You can also protect against this attack
by reducing the maximum form content size to < 4k.
Note that as an open source project, you can modify the source of jetty-5
and build your own version. We just do not have the resources available
to do an official release of such an old version.
regards
On 28 March 2012 03:13, prakash mallick <pcmallick@xxxxxxxxx> wrote:
> Hi All,
> We are using Jetty version Jetty-5.1.14 binary, can anybody please
> tell me if we can have an immediate version w.r.t 5.1.14 having fix for
> https://bugzilla.redhat.com/show_bug.cgi?id=781677 .
>
> Thanks and Regards,
> Prakash
>
> _______________________________________________
> jetty-dev mailing list
> jetty-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dev.eclipse.org/mailman/private/jetty-dev/attachments/20120328/2c99da06/attachment.htm>
------------------------------
Message: 3
Date: Wed, 28 Mar 2012 14:40:24 +0900
From: Will <wglozer@xxxxxxxxx>
To: jetty-dev@xxxxxxxxxxx
Subject: [jetty-dev] SPDY window size update, a bug?
Message-ID:
<CAHvJj_vLr7EZ8iVQE0W2V7wFmDM-wQ+QwdfBBNUBhHtO7yJFAQ@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=UTF-8
Hello,
I have been playing around with Jetty's shiny new SPDY support and ran
into a problem where my SPDY sessions were timing out, apparently
because a PING response wasn't being sent to the client (Chrome 17).
I tracked this down to StandardSession, where a flush call was being
skipped with two items in the queue, a DataFrame and the PingFrame
response. The flush was skipped because DataFrameBytes.getByteBuffer()
was returning null, which in turn was caused by the Stream window size
being <= 0.
When the complete() method of DataFrameBytes is called it calls
Stream.updateWindowSize(-length):
https://github.com/eclipse/jetty.project/blob/jetty-8/jetty-spdy/spdy-core/src/main/java/org/eclipse/jetty/spdy/StandardSession.java#L1037
Is that correct? I don't follow the logic for updating the window size
that way, but I am very new to both SPDY and the Jetty code base.
Removing the window size update does fix the client PING timeouts.
Thanks!
Will
------------------------------
Message: 4
Date: Wed, 28 Mar 2012 09:45:12 +0200
From: Simone Bordet <sbordet@xxxxxxxxxxx>
To: "Jetty @ Eclipse developer discussion list"
<jetty-dev@xxxxxxxxxxx>
Subject: Re: [jetty-dev] SPDY window size update, a bug?
Message-ID:
<CAFWmRJ2rKmRuKST4tyzx4s0NkmJGvVxy5tQ+FgBXiWRSPktJrg@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=UTF-8
Hi,
On Wed, Mar 28, 2012 at 07:40, Will <wglozer@xxxxxxxxx> wrote:
> Hello,
>
> I have been playing around with Jetty's shiny new SPDY support and ran
> into a problem where my SPDY sessions were timing out, apparently
> because a PING response wasn't being sent to the client (Chrome 17).
>
> I tracked this down to StandardSession, where a flush call was being
> skipped with two items in the queue, a DataFrame and the PingFrame
> response. The flush was skipped because DataFrameBytes.getByteBuffer()
> was returning null, which in turn was caused by the Stream window size
> being <= 0.
>
> When the complete() method of DataFrameBytes is called it calls
> Stream.updateWindowSize(-length):
>
> https://github.com/eclipse/jetty.project/blob/jetty-8/jetty-spdy/spdy-core/src/main/java/org/eclipse/jetty/spdy/StandardSession.java#L1037
>
> Is that correct? I don't follow the logic for updating the window size
> that way, but I am very new to both SPDY and the Jetty code base.
> Removing the window size update does fix the client PING timeouts.
I am not sure that flow control is implemented in Chromium/Chrome 17,
so perhaps we need a switch to turn it off on server side too.
I think the update of the window size is right, but we're stalling
PING frames (and other channels too), so that looks like a bug.
Investigating.
Simon
--
http://cometd.org
http://intalio.com
http://bordet.blogspot.com
----
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless.?? Victoria Livschitz
------------------------------
Message: 5
Date: Wed, 28 Mar 2012 11:40:13 +0200
From: Simone Bordet <sbordet@xxxxxxxxxxx>
To: "Jetty @ Eclipse developer discussion list"
<jetty-dev@xxxxxxxxxxx>
Subject: Re: [jetty-dev] SPDY window size update, a bug?
Message-ID:
<CAFWmRJ0XBDdbx73_Xw-PnxN5GpV3t3-4f6o_v19+Z7tUaxSKOQ@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=UTF-8
Hi,
On Wed, Mar 28, 2012 at 09:45, Simone Bordet <sbordet@xxxxxxxxxxx> wrote:
> I am not sure that flow control is implemented in Chromium/Chrome 17,
> so perhaps we need a switch to turn it off on server side too.
> I think the update of the window size is right, but we're stalling
> PING frames (and other channels too), so that looks like a bug.
> Investigating.
Confirmed as bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=375509
Simon
--
http://cometd.org
http://intalio.com
http://bordet.blogspot.com
----
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless.?? Victoria Livschitz
------------------------------
_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-dev
End of jetty-dev Digest, Vol 37, Issue 20
*****************************************