CVE-2011-4461

Priority
Medium
Description
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters
without restricting the ability to trigger hash collisions predictably,
which allows remote attackers to cause a denial of service (CPU
consumption) by sending many crafted parameters.
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4461
http://www.kb.cert.org/vuls/id/903934
http://www.ocert.org/advisories/ocert-2011-003.html
http://www.nruns.com/_downloads/advisory28122011.pdf
http://dev.eclipse.org/mhonarc/lists/jetty-users/msg01818.html
http://www.ubuntu.com/usn/usn-1429-1
Notes
mdeslaur> in main in lucid, maverick, natty only
Assigned-to
mdeslaur
Package
Source: jetty (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):not-affected (reached end-of-life)
Ubuntu 10.04 LTS (Lucid Lynx):released (6.1.22-1ubuntu1.1)
Ubuntu 11.10 (Oneiric Ocelot):ignored (reached end-of-life)
Ubuntu 12.04 LTS (Precise Pangolin):needed
Ubuntu 12.10 (Quantal Quetzal):needed
Ubuntu 13.04 (Raring Ringtail):needed
Ubuntu 13.10 (Saucy Salamander):needed
Patches:
Upstream:https://github.com/eclipse/jetty.project/commit/085c79d7d6cfbccc02821ffdb64968593df3e0bf
More Information

Valid XHTML 1.0 Strict

Updated: 2013-05-09 15:15:56 UTC (commit 6824)