[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] jetty-dev Digest, Vol 37, Issue 20

hi Greg,
          Thanx for the information. Can you please tell me exactly which Jetty 6 version contains that fix for DOS attack
regards
Prakash

On Wed, Mar 28, 2012 at 9:30 PM, <jetty-dev-request@xxxxxxxxxxx> wrote:
Send jetty-dev mailing list submissions to
       jetty-dev@xxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
       https://dev.eclipse.org/mailman/listinfo/jetty-dev
or, via email, send a message with subject or body 'help' to
       jetty-dev-request@xxxxxxxxxxx

You can reach the person managing the list at
       jetty-dev-owner@xxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of jetty-dev digest..."


Today's Topics:

  1. Jetty Version having fix for Denial of Service
     (https://bugzilla.redhat.com/show_bug.cgi?id=781677) (prakash mallick)
  2. Re: Jetty Version having fix for Denial of Service
     (https://bugzilla.redhat.com/show_bug.cgi?id=781677) (Greg Wilkins)
  3. SPDY window size update, a bug? (Will)
  4. Re: SPDY window size update, a bug? (Simone Bordet)
  5. Re: SPDY window size update, a bug? (Simone Bordet)


----------------------------------------------------------------------

Message: 1
Date: Tue, 27 Mar 2012 21:43:34 +0530
From: prakash mallick <pcmallick@xxxxxxxxx>
To: jetty-dev@xxxxxxxxxxx
Subject: [jetty-dev] Jetty Version having fix for Denial of Service
       (https://bugzilla.redhat.com/show_bug.cgi?id=781677)
Message-ID:
       <CAGExC+mhZEouVC=5+duDmNMRxer3nuBM7WyyuvY8gk5cp29LPg@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Hi All,
       We are using Jetty version Jetty-5.1.14 binary, can anybody please
tell me if we can have an immediate  version w.r.t 5.1.14 having fix for
https://bugzilla.redhat.com/show_bug.cgi?id=781677 .

Thanks and Regards,
Prakash
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dev.eclipse.org/mailman/private/jetty-dev/attachments/20120327/debf6916/attachment.htm>

------------------------------

Message: 2
Date: Wed, 28 Mar 2012 09:37:09 +1100
From: Greg Wilkins <gregw@xxxxxxxxxxx>
To: "Jetty @ Eclipse developer discussion list"
       <jetty-dev@xxxxxxxxxxx>
Subject: Re: [jetty-dev] Jetty Version having fix for Denial of
       Service (https://bugzilla.redhat.com/show_bug.cgi?id=781677)
Message-ID:
       <CAH_y2NHZPrqat+GXxSWcbPTyNcDJpG4hcLN7hFFdxcBxqJmRnw@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Prakash,

Jetty-5 is no longer a supported/developed release.  There are fixes
available for jetty 6, 7 and 8.  You can also protect against this attack
by reducing the maximum form content size to < 4k.
Note that as an open source project, you can modify the source of jetty-5
and build your own version.   We just do not have the resources available
to do an official release of such an old version.
regards


On 28 March 2012 03:13, prakash mallick <pcmallick@xxxxxxxxx> wrote:

> Hi All,
>         We are using Jetty version Jetty-5.1.14 binary, can anybody please
> tell me if we can have an immediate  version w.r.t 5.1.14 having fix for
> https://bugzilla.redhat.com/show_bug.cgi?id=781677 .
>
> Thanks and Regards,
> Prakash
>
> _______________________________________________
> jetty-dev mailing list
> jetty-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dev.eclipse.org/mailman/private/jetty-dev/attachments/20120328/2c99da06/attachment.htm>

------------------------------

Message: 3
Date: Wed, 28 Mar 2012 14:40:24 +0900
From: Will <wglozer@xxxxxxxxx>
To: jetty-dev@xxxxxxxxxxx
Subject: [jetty-dev] SPDY window size update, a bug?
Message-ID:
       <CAHvJj_vLr7EZ8iVQE0W2V7wFmDM-wQ+QwdfBBNUBhHtO7yJFAQ@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=UTF-8

Hello,

I have been playing around with Jetty's shiny new SPDY support and ran
into a problem where my SPDY sessions were timing out, apparently
because a PING response wasn't being sent to the client (Chrome 17).

I tracked this down to StandardSession, where a flush call was being
skipped with two items in the queue, a DataFrame and the PingFrame
response. The flush was skipped because DataFrameBytes.getByteBuffer()
was returning null, which in turn was caused by the Stream window size
being <= 0.

When the complete() method of DataFrameBytes is called it calls
Stream.updateWindowSize(-length):

https://github.com/eclipse/jetty.project/blob/jetty-8/jetty-spdy/spdy-core/src/main/java/org/eclipse/jetty/spdy/StandardSession.java#L1037

Is that correct? I don't follow the logic for updating the window size
that way, but I am very new to both SPDY and the Jetty code base.
Removing the window size update does fix the client PING timeouts.

Thanks!
Will


------------------------------

Message: 4
Date: Wed, 28 Mar 2012 09:45:12 +0200
From: Simone Bordet <sbordet@xxxxxxxxxxx>
To: "Jetty @ Eclipse developer discussion list"
       <jetty-dev@xxxxxxxxxxx>
Subject: Re: [jetty-dev] SPDY window size update, a bug?
Message-ID:
       <CAFWmRJ2rKmRuKST4tyzx4s0NkmJGvVxy5tQ+FgBXiWRSPktJrg@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=UTF-8

Hi,

On Wed, Mar 28, 2012 at 07:40, Will <wglozer@xxxxxxxxx> wrote:
> Hello,
>
> I have been playing around with Jetty's shiny new SPDY support and ran
> into a problem where my SPDY sessions were timing out, apparently
> because a PING response wasn't being sent to the client (Chrome 17).
>
> I tracked this down to StandardSession, where a flush call was being
> skipped with two items in the queue, a DataFrame and the PingFrame
> response. The flush was skipped because DataFrameBytes.getByteBuffer()
> was returning null, which in turn was caused by the Stream window size
> being <= 0.
>
> When the complete() method of DataFrameBytes is called it calls
> Stream.updateWindowSize(-length):
>
> https://github.com/eclipse/jetty.project/blob/jetty-8/jetty-spdy/spdy-core/src/main/java/org/eclipse/jetty/spdy/StandardSession.java#L1037
>
> Is that correct? I don't follow the logic for updating the window size
> that way, but I am very new to both SPDY and the Jetty code base.
> Removing the window size update does fix the client PING timeouts.

I am not sure that flow control is implemented in Chromium/Chrome 17,
so perhaps we need a switch to turn it off on server side too.
I think the update of the window size is right, but we're stalling
PING frames (and other channels too), so that looks like a bug.
Investigating.

Simon
--
http://cometd.org
http://intalio.com
http://bordet.blogspot.com
----
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless.?? Victoria Livschitz


------------------------------

Message: 5
Date: Wed, 28 Mar 2012 11:40:13 +0200
From: Simone Bordet <sbordet@xxxxxxxxxxx>
To: "Jetty @ Eclipse developer discussion list"
       <jetty-dev@xxxxxxxxxxx>
Subject: Re: [jetty-dev] SPDY window size update, a bug?
Message-ID:
       <CAFWmRJ0XBDdbx73_Xw-PnxN5GpV3t3-4f6o_v19+Z7tUaxSKOQ@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=UTF-8

Hi,

On Wed, Mar 28, 2012 at 09:45, Simone Bordet <sbordet@xxxxxxxxxxx> wrote:
> I am not sure that flow control is implemented in Chromium/Chrome 17,
> so perhaps we need a switch to turn it off on server side too.
> I think the update of the window size is right, but we're stalling
> PING frames (and other channels too), so that looks like a bug.
> Investigating.

Confirmed as bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=375509

Simon
--
http://cometd.org
http://intalio.com
http://bordet.blogspot.com
----
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless.?? Victoria Livschitz


------------------------------

_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-dev


End of jetty-dev Digest, Vol 37, Issue 20
*****************************************