Accepting request 1280113 from Java:packages

security fixes

OBS-URL: https://build.opensuse.org/request/show/1280113
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/jetty-minimal?expand=0&rev=28

jetty-alpn.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Mon May 26 10:30:44 UTC 2025 - Fridrich Strba <fstrba@suse.com>
+
+- Upgrade to version 9.4.57.v20241219
+  * Security fixes:
+    + CVE-2024-6763, bsc#1231652: the HttpURI class does
+      insufficient validation on the authority segment of a URI
+    + CVE-2024-13009, bsc#1243271: Gzip Request Body Buffer
+      Corruption
+  * Changes:
+    + #12268 - IteratingCallback may iterate too much when process()
+      returns Action.IDLE
+    + #12648 - Backport improved handling of bad Gzip content (and
+      Gzip Exceptions)
+    + #12532 - Backport of deprecation of UserInfo on URI (in
+      violation of RFC2616 spec)
+
 -------------------------------------------------------------------
 Tue Oct 15 21:27:27 UTC 2024 - Fridrich Strba <fstrba@suse.com>
 

jetty-alpn.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package jetty-alpn
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 # Copyright (c) 2000-2007, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@@ -18,10 +18,10 @@
 
 
 %global base_name jetty
-%global addver  .v20240826
+%global addver  .v20241219
 %define src_name %{base_name}.project-%{base_name}-%{version}%{addver}
 Name:           %{base_name}-alpn
-Version:        9.4.56
+Version:        9.4.57
 Release:        0
 Summary:        The alpn modules for Jetty
 License:        Apache-2.0 OR EPL-1.0

jetty-http2.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Mon May 26 10:30:44 UTC 2025 - Fridrich Strba <fstrba@suse.com>
+
+- Upgrade to version 9.4.57.v20241219
+  * Security fixes:
+    + CVE-2024-6763, bsc#1231652: the HttpURI class does
+      insufficient validation on the authority segment of a URI
+    + CVE-2024-13009, bsc#1243271: Gzip Request Body Buffer
+      Corruption
+  * Changes:
+    + #12268 - IteratingCallback may iterate too much when process()
+      returns Action.IDLE
+    + #12648 - Backport improved handling of bad Gzip content (and
+      Gzip Exceptions)
+    + #12532 - Backport of deprecation of UserInfo on URI (in
+      violation of RFC2616 spec)
+
 -------------------------------------------------------------------
 Tue Oct 15 21:27:27 UTC 2024 - Fridrich Strba <fstrba@suse.com>
 

jetty-http2.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package jetty-http2
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 # Copyright (c) 2000-2007, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@@ -18,10 +18,10 @@
 
 
 %global base_name jetty
-%global addver  .v20240826
+%global addver  .v20241219
 %define src_name %{base_name}.project-%{base_name}-%{version}%{addver}
 Name:           %{base_name}-http2
-Version:        9.4.56
+Version:        9.4.57
 Release:        0
 Summary:        The http2 modules for Jetty
 License:        Apache-2.0 OR EPL-1.0

jetty-minimal.changes

@@ -1,3 +1,32 @@
+-------------------------------------------------------------------
+Mon May 26 10:30:44 UTC 2025 - Fridrich Strba <fstrba@suse.com>
+
+- Upgrade to version 9.4.57.v20241219
+  * Security fixes:
+    + CVE-2024-6763, bsc#1231652: the HttpURI class does
+      insufficient validation on the authority segment of a URI
+    + CVE-2024-13009, bsc#1243271: Gzip Request Body Buffer
+      Corruption
+  * Changes:
+    + #12268 - IteratingCallback may iterate too much when process()
+      returns Action.IDLE
+    + #12648 - Backport improved handling of bad Gzip content (and
+      Gzip Exceptions)
+    + #12532 - Backport of deprecation of UserInfo on URI (in
+      violation of RFC2616 spec)
+
+-------------------------------------------------------------------
+Mon Nov 11 16:51:57 UTC 2024 - Fridrich Strba <fstrba@suse.com>
+
+- Added patch:
+  * jetty-port-to-servlet-4.0.patch
+    + Fix build against the javax.servlet-api 4.x
+
+-------------------------------------------------------------------
+Thu Oct 17 12:27:25 UTC 2024 - Fridrich Strba <fstrba@suse.com>
+
+- Package the infrastructure pom artifacts too
+
 -------------------------------------------------------------------
 Thu Oct 17 09:47:04 UTC 2024 - Anton Shvetz <shvetz.anton@gmail.com>
 

jetty-minimal.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package jetty-minimal
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 # Copyright (c) 2000-2007, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@@ -18,16 +18,17 @@
 
 
 %global base_name jetty
-%global addver  .v20240826
+%global addver  .v20241219
 %define src_name %{base_name}.project-%{base_name}-%{version}%{addver}
 Name:           %{base_name}-minimal
-Version:        9.4.56
+Version:        9.4.57
 Release:        0
 Summary:        Java Webserver and Servlet Container
 License:        Apache-2.0 OR EPL-1.0
 Group:          Productivity/Networking/Web/Servers
 URL:            https://www.eclipse.org/jetty/
 Source0:        https://github.com/eclipse/%{base_name}.project/archive/%{base_name}-%{version}%{addver}.tar.gz#/%{src_name}.tar.gz
+Patch0:         jetty-port-to-servlet-4.0.patch
 BuildRequires:  fdupes
 BuildRequires:  java-devel >= 1.8
 BuildRequires:  maven-local
@@ -263,6 +264,12 @@ Group:          Productivity/Networking/Web/Servers
 %description    -n %{base_name}-xml
 %{extdesc} %{summary}.
 
+%package        -n %{base_name}-project
+Summary:        POM files for Jetty
+
+%description    -n %{base_name}-project
+%{extdesc} %{summary}.
+
 %package        javadoc
 Summary:        Javadoc for %{name}
 Group:          Productivity/Networking/Web/Servers
@@ -272,6 +279,7 @@ Group:          Productivity/Networking/Web/Servers
 
 %prep
 %setup -q -n %{src_name}
+%patch -P 0 -p1
 
 find . -name "*.?ar" -exec rm {} \;
 find . -name "*.class" -exec rm {} \;
@@ -403,9 +411,9 @@ sed -i '/<SystemProperty name="jetty.state"/d' \
 %{mvn_package} :jetty-distribution __noinstall
 
 # Separate package for POMs
-%{mvn_package} ':*-project' __noinstall
-%{mvn_package} ':*-parent' __noinstall
-%{mvn_package} ':*-bom' __noinstall
+%{mvn_package} ':*-project' project
+%{mvn_package} ':*-parent' project
+%{mvn_package} ':*-bom' project
 
 # artifact used by demo
 %{mvn_package} :test-mock-resources
@@ -497,6 +505,8 @@ ln -s %{_javadir}/%{base_name}/%{base_name}-ant.jar %{buildroot}%{_datadir}/ant/
 
 %files -n %{base_name}-plus -f .mfiles-jetty-plus
 
+%files -n %{base_name}-project -f .mfiles-project
+
 %files -n %{base_name}-quickstart -f .mfiles-jetty-quickstart
 
 %files -n %{base_name}-rewrite -f .mfiles-jetty-rewrite

jetty-port-to-servlet-4.0.patch

@@ -0,0 +1,48 @@
+--- jetty.project-jetty-9.4.56.v20240826/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java	2024-11-11 17:39:19.269641330 +0100
++++ jetty.project-jetty-9.4.56.v20240826/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java	2024-11-11 17:46:58.312710664 +0100
+@@ -2971,6 +2971,45 @@
+         {
+             return null;
+         }
++
++        public void setResponseCharacterEncoding(String charset)
++        {
++            LOG.warn(UNIMPLEMENTED_USE_SERVLET_CONTEXT_HANDLER, "setResponseCharacterEncoding(String...)");
++        }
++
++        public String getResponseCharacterEncoding()
++        {
++            LOG.warn(UNIMPLEMENTED_USE_SERVLET_CONTEXT_HANDLER, "getResponseCharacterEncoding()");
++            return null;
++        }
++
++        public void setRequestCharacterEncoding(String charset)
++        {
++            LOG.warn(UNIMPLEMENTED_USE_SERVLET_CONTEXT_HANDLER, "setRequestCharacterEncoding(String...)");
++        }
++
++        public String getRequestCharacterEncoding()
++        {
++            LOG.warn(UNIMPLEMENTED_USE_SERVLET_CONTEXT_HANDLER, "getRequestCharacterEncoding()");
++            return null;
++        }
++
++        public void setSessionTimeout(int sessionTimeout)
++        {
++            LOG.warn(UNIMPLEMENTED_USE_SERVLET_CONTEXT_HANDLER, "setSessionTimeout(int...)");
++        }
++
++        public int getSessionTimeout()
++        {
++            LOG.warn(UNIMPLEMENTED_USE_SERVLET_CONTEXT_HANDLER, "getSessionTimeout()");
++            return 0;
++        }
++
++        public ServletRegistration.Dynamic addJspFile(String servletName, String jspFile)
++        {
++            LOG.warn(UNIMPLEMENTED_USE_SERVLET_CONTEXT_HANDLER, "addJspFile(String..., String...)");
++            return null;
++        }
+     }
+ 
+     /**

jetty-unixsocket.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Mon May 26 10:30:44 UTC 2025 - Fridrich Strba <fstrba@suse.com>
+
+- Upgrade to version 9.4.57.v20241219
+  * Security fixes:
+    + CVE-2024-6763, bsc#1231652: the HttpURI class does
+      insufficient validation on the authority segment of a URI
+    + CVE-2024-13009, bsc#1243271: Gzip Request Body Buffer
+      Corruption
+  * Changes:
+    + #12268 - IteratingCallback may iterate too much when process()
+      returns Action.IDLE
+    + #12648 - Backport improved handling of bad Gzip content (and
+      Gzip Exceptions)
+    + #12532 - Backport of deprecation of UserInfo on URI (in
+      violation of RFC2616 spec)
+
 -------------------------------------------------------------------
 Tue Oct 15 21:27:27 UTC 2024 - Fridrich Strba <fstrba@suse.com>
 

jetty-unixsocket.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package jetty-unixsocket
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 # Copyright (c) 2000-2007, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@@ -18,10 +18,10 @@
 
 
 %global base_name jetty
-%global addver  .v20240826
+%global addver  .v20241219
 %define src_name %{base_name}.project-%{base_name}-%{version}%{addver}
 Name:           %{base_name}-unixsocket
-Version:        9.4.56
+Version:        9.4.57
 Release:        0
 Summary:        The unixsocket modules for Jetty
 License:        Apache-2.0 OR EPL-1.0

jetty-websocket.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Mon May 26 10:30:44 UTC 2025 - Fridrich Strba <fstrba@suse.com>
+
+- Upgrade to version 9.4.57.v20241219
+  * Security fixes:
+    + CVE-2024-6763, bsc#1231652: the HttpURI class does
+      insufficient validation on the authority segment of a URI
+    + CVE-2024-13009, bsc#1243271: Gzip Request Body Buffer
+      Corruption
+  * Changes:
+    + #12268 - IteratingCallback may iterate too much when process()
+      returns Action.IDLE
+    + #12648 - Backport improved handling of bad Gzip content (and
+      Gzip Exceptions)
+    + #12532 - Backport of deprecation of UserInfo on URI (in
+      violation of RFC2616 spec)
+
 -------------------------------------------------------------------
 Tue Oct 15 21:27:27 UTC 2024 - Fridrich Strba <fstrba@suse.com>
 

jetty-websocket.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package jetty-websocket
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 # Copyright (c) 2000-2007, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@@ -18,10 +18,10 @@
 
 
 %global base_name jetty
-%global addver  .v20240826
+%global addver  .v20241219
 %define src_name %{base_name}.project-%{base_name}-%{version}%{addver}
 Name:           %{base_name}-websocket
-Version:        9.4.56
+Version:        9.4.57
 Release:        0
 Summary:        The websocket modules for Jetty
 License:        Apache-2.0 OR EPL-1.0

jetty.project-jetty-9.4.56.v20240826.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:02955a9152023af2238ed5a5aa331b6b6ef2e2934f9d4871b318763254315968
-size 19348893

jetty.project-jetty-9.4.57.v20241219.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1614d3465f4c04075efc7731379ecaed2eb46168a3b0f722a88c282677a86046
+size 19350745