Accepting request 1117494 from Java:packages

Misc. security fixes OBS-URL: https://build.opensuse.org/request/show/1117494 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/jetty-minimal?expand=0&rev=20
2023-10-12 21:44:38 +00:00 · 2023-10-12 21:44:38 +00:00 · d054ef8e42
commit d054ef8e42
parent af5bb53f56 9f9e2f92e4
8 changed files with 89 additions and 10 deletions
--- a/jetty-minimal.changes
+++ b/jetty-minimal.changes
@ -1,3 +1,29 @@
+-------------------------------------------------------------------
+Thu Oct 12 15:51:00 UTC 2023 - Fridrich Strba <fstrba@suse.com>
+
+- Upgrade to version 9.4.53.v20231009
+  * Fixes of 9.4.53.v20231009
+    + CVE-2023-44487, bsc#1216169
+    + CVE-2023-36478, bsc#1216162
+    + #10679 - backport HTTP/2 rate control from Jetty 10.0.x
+    + #10573 - backport hpack improvements from Jetty 10.0.x
+    + #10546 - backport jetty-http Huffman encoders/decoders from
+      Jetty 10.0.x
+  * Fixes of 9.4.52.v20230823
+    + #10352 - Jetty accepts "+" prefixed value in Content-Length
+      (CVE-2023-40167, bsc#1215417)
+    + #10337 - SizeLimitHandler does not enforce 0 responseLimit
+    + #10169 - make sure that a ServiceLoader is retrieved before
+      iterating 
+    + #10066 - Allow SAXParserFactory or SAXParser to be configured
+      in Jetty's XmlParser class - Allows for GHSA-58qw-p7qm-5rvh
+      workaround
+    + #9887 - Deprecate CGI Servlet (CVE-2023-36479, bsc#1215415)
+    + #9716 - Deprecate PushSessionCacheFilter
+    + #9660 - OpenId Revoked authentication allows one request
+      (CVE-2023-41900, bsc#1215416)
+    + #9476 - onCompleteFailure called multiple times
+
 -------------------------------------------------------------------
 Sat Sep  9 14:24:29 UTC 2023 - Fridrich Strba <fstrba@suse.com>

--- a/jetty-minimal.spec
+++ b/jetty-minimal.spec
@ -18,10 +18,10 @@


 %global base_name jetty
-%global addver  .v20230217
+%global addver  .v20231009
 %define src_name %{base_name}.project-%{base_name}-%{version}%{addver}
 Name:           %{base_name}-minimal
-Version:        9.4.51
+Version:        9.4.53
 Release:        0
 Summary:        Java Webserver and Servlet Container
 License:        Apache-2.0 OR EPL-1.0
@ -43,15 +43,16 @@ BuildRequires:  mvn(org.apache.tomcat:tomcat-jasper)
 BuildRequires:  mvn(org.codehaus.mojo:build-helper-maven-plugin)
 BuildRequires:  mvn(org.eclipse.jetty.orbit:javax.mail.glassfish)
 BuildRequires:  mvn(org.eclipse.jetty.toolchain:jetty-schemas)
+BuildRequires:  mvn(org.jboss.logging:jboss-logging)
 BuildRequires:  mvn(org.ow2.asm:asm)
 BuildRequires:  mvn(org.ow2.asm:asm-commons)
 BuildRequires:  mvn(org.slf4j:slf4j-api)
+BuildArch:      noarch
 %ifarch %{ix86}
 BuildConflicts: java >= 12
 BuildConflicts: java-devel >= 12
 BuildConflicts: java-headless >= 12
 %endif
-BuildArch:      noarch

 %description

--- a/jetty-unixsocket.changes
+++ b/jetty-unixsocket.changes
@ -1,3 +1,29 @@
+-------------------------------------------------------------------
+Thu Oct 12 15:51:00 UTC 2023 - Fridrich Strba <fstrba@suse.com>
+
+- Upgrade to version 9.4.53.v20231009
+  * Fixes of 9.4.53.v20231009
+    + CVE-2023-44487, bsc#1216169
+    + CVE-2023-36478, bsc#1216162
+    + #10679 - backport HTTP/2 rate control from Jetty 10.0.x
+    + #10573 - backport hpack improvements from Jetty 10.0.x
+    + #10546 - backport jetty-http Huffman encoders/decoders from
+      Jetty 10.0.x
+  * Fixes of 9.4.52.v20230823
+    + #10352 - Jetty accepts "+" prefixed value in Content-Length
+      (CVE-2023-40167, bsc#1215417)
+    + #10337 - SizeLimitHandler does not enforce 0 responseLimit
+    + #10169 - make sure that a ServiceLoader is retrieved before
+      iterating 
+    + #10066 - Allow SAXParserFactory or SAXParser to be configured
+      in Jetty's XmlParser class - Allows for GHSA-58qw-p7qm-5rvh
+      workaround
+    + #9887 - Deprecate CGI Servlet (CVE-2023-36479, bsc#1215415)
+    + #9716 - Deprecate PushSessionCacheFilter
+    + #9660 - OpenId Revoked authentication allows one request
+      (CVE-2023-41900, bsc#1215416)
+    + #9476 - onCompleteFailure called multiple times
+
 -------------------------------------------------------------------
 Sat Sep  9 14:24:30 UTC 2023 - Fridrich Strba <fstrba@suse.com>

--- a/jetty-unixsocket.spec
+++ b/jetty-unixsocket.spec
@ -18,10 +18,10 @@


 %global base_name jetty
-%global addver  .v20230217
+%global addver  .v20231009
 %define src_name %{base_name}.project-%{base_name}-%{version}%{addver}
 Name:           %{base_name}-unixsocket
-Version:        9.4.51
+Version:        9.4.53
 Release:        0
 Summary:        The unixsocket modules for Jetty
 License:        Apache-2.0 OR EPL-1.0
--- a/jetty-websocket.changes
+++ b/jetty-websocket.changes
@ -1,3 +1,29 @@
+-------------------------------------------------------------------
+Thu Oct 12 15:51:00 UTC 2023 - Fridrich Strba <fstrba@suse.com>
+
+- Upgrade to version 9.4.53.v20231009
+  * Fixes of 9.4.53.v20231009
+    + CVE-2023-44487, bsc#1216169
+    + CVE-2023-36478, bsc#1216162
+    + #10679 - backport HTTP/2 rate control from Jetty 10.0.x
+    + #10573 - backport hpack improvements from Jetty 10.0.x
+    + #10546 - backport jetty-http Huffman encoders/decoders from
+      Jetty 10.0.x
+  * Fixes of 9.4.52.v20230823
+    + #10352 - Jetty accepts "+" prefixed value in Content-Length
+      (CVE-2023-40167, bsc#1215417)
+    + #10337 - SizeLimitHandler does not enforce 0 responseLimit
+    + #10169 - make sure that a ServiceLoader is retrieved before
+      iterating 
+    + #10066 - Allow SAXParserFactory or SAXParser to be configured
+      in Jetty's XmlParser class - Allows for GHSA-58qw-p7qm-5rvh
+      workaround
+    + #9887 - Deprecate CGI Servlet (CVE-2023-36479, bsc#1215415)
+    + #9716 - Deprecate PushSessionCacheFilter
+    + #9660 - OpenId Revoked authentication allows one request
+      (CVE-2023-41900, bsc#1215416)
+    + #9476 - onCompleteFailure called multiple times
+
 -------------------------------------------------------------------
 Sat Sep  9 14:24:30 UTC 2023 - Fridrich Strba <fstrba@suse.com>

--- a/jetty-websocket.spec
+++ b/jetty-websocket.spec
@ -18,10 +18,10 @@


 %global base_name jetty
-%global addver  .v20230217
+%global addver  .v20231009
 %define src_name %{base_name}.project-%{base_name}-%{version}%{addver}
 Name:           %{base_name}-websocket
-Version:        9.4.51
+Version:        9.4.53
 Release:        0
 Summary:        The websocket modules for Jetty
 License:        Apache-2.0 OR EPL-1.0
--- a/jetty.project-jetty-9.4.51.v20230217.tar.gz
+++ b/jetty.project-jetty-9.4.51.v20230217.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:4417c5551ae21fd33ada64cf6ae275adcaffff7d4daa5a25cab3b06a3709eac8
-size 19331040
--- a/jetty.project-jetty-9.4.53.v20231009.tar.gz
+++ b/jetty.project-jetty-9.4.53.v20231009.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fcff12abe2702029cc1bcd75a7294c0359f243fb16768c5d9f161a9b2fa3c7ee
+size 19349292