190 lines
7.5 KiB
Plaintext
190 lines
7.5 KiB
Plaintext
-------------------------------------------------------------------
|
|
Tue Feb 27 12:27:27 UTC 2024 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
- Upgrade to version 9.4.54.v20240208
|
|
* Security fixes
|
|
+ CVE-2024-22201, bsc#1220437: HTTP/2 connection not closed
|
|
after idle timeout when TCP congested
|
|
* Other changes
|
|
+ #1256 DoSFilter leaks USER_AUTH entries
|
|
+ #11389 Strip default ports on ws/wss scheme uris too
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 12 15:51:00 UTC 2023 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
- Upgrade to version 9.4.53.v20231009
|
|
* Fixes of 9.4.53.v20231009
|
|
+ CVE-2023-44487, bsc#1216169
|
|
+ CVE-2023-36478, bsc#1216162
|
|
+ #10679 - backport HTTP/2 rate control from Jetty 10.0.x
|
|
+ #10573 - backport hpack improvements from Jetty 10.0.x
|
|
+ #10546 - backport jetty-http Huffman encoders/decoders from
|
|
Jetty 10.0.x
|
|
* Fixes of 9.4.52.v20230823
|
|
+ #10352 - Jetty accepts "+" prefixed value in Content-Length
|
|
(CVE-2023-40167, bsc#1215417)
|
|
+ #10337 - SizeLimitHandler does not enforce 0 responseLimit
|
|
+ #10169 - make sure that a ServiceLoader is retrieved before
|
|
iterating
|
|
+ #10066 - Allow SAXParserFactory or SAXParser to be configured
|
|
in Jetty's XmlParser class - Allows for GHSA-58qw-p7qm-5rvh
|
|
workaround
|
|
+ #9887 - Deprecate CGI Servlet (CVE-2023-36479, bsc#1215415)
|
|
+ #9716 - Deprecate PushSessionCacheFilter
|
|
+ #9660 - OpenId Revoked authentication allows one request
|
|
(CVE-2023-41900, bsc#1215416)
|
|
+ #9476 - onCompleteFailure called multiple times
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Sep 9 14:24:30 UTC 2023 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
- Reproducible builds: use SOURCE_DATE_EPOCH for timestamp
|
|
|
|
-------------------------------------------------------------------
|
|
Sun May 21 05:09:16 UTC 2023 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
- Update to version 9.4.51.v20230217
|
|
* Fixes of 9.4.49.v20220914:
|
|
+ #8578 - getRequestURL can append "null" if getRequestURI is
|
|
unspecified in an authority-form request-target
|
|
+ #8493 - Review HTTP client feature setRemoveIdleDestinations
|
|
* Fixes of 9.4.50.v20221201:
|
|
+ #8774 - Added SizeLimitHandler
|
|
+ #8678 - Jetty client is not responding to GO_AWAY packet
|
|
received from (Jetty) Server and continue to send traffic on
|
|
same connection
|
|
* Fixes of 9.4.51.v20230217:
|
|
+ #9352 - Update / Fix CookieCutter
|
|
+ #9345 - Backport Multipart Fix for CVE-2023-26048, bsc#1210620
|
|
+ #9352 - Backport Cookie Parsing Fix for CVE-2023-26049,
|
|
bsc#1210621
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jul 8 15:15:05 UTC 2022 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
- Upgrade to version 9.4.48.v20220622
|
|
* Fixes
|
|
+ #8184 - All suffix globs except first fail to match if path
|
|
has "." character in prefix section
|
|
+ #8145 - RegexPathSpec backport of optional group name/info
|
|
lookup if regex fails
|
|
+ #8088 - Add option to configure exitVm on ShutdownMonitor from
|
|
System properties
|
|
+ #8067 - Wall time usage in DoSFilter RateTracker results in
|
|
false positive alert
|
|
+ #8014 - Review HttpRequest URI construction (Resolves
|
|
CVE-2022-2047, bsc#1201317)
|
|
+ #7976 - Add TRANSFER_ENCODING violation for MultiPart RFC7578
|
|
parser
|
|
+ #7947 - Improved PathSpec handling for servletName & pathInfo
|
|
+ #7935 - Review HTTP/2 error handling (Resolves CVE-2022-2048,
|
|
bsc#1201316)
|
|
+ #7918 - PathMappings.asPathSpec does not allow root
|
|
ServletPathSpec
|
|
+ #7863 - Default servlet drops first accept-encoding header if
|
|
there is more than one.
|
|
+ #7858 - GZipHandler does not play nice with other handlers in
|
|
HandlerCollection
|
|
+ #7837 - Fix StatisticsHandler in the case a Handler throws
|
|
exception
|
|
+ #7809 - Jetty 9.4.x 7801 duplicate set session cookies
|
|
+ #7748 - Allow overriding of url-pattern mapping in
|
|
ServletContextHandler to allow for regex or uri-template
|
|
matching
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 29 14:13:33 UTC 2022 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
- Upgrade to version 9.4.46.v20220328
|
|
* Changes
|
|
+ Option --write-module-graph produces wrong .dot file
|
|
+ ArrayTrie getBest fails to match the empty string entry in
|
|
certain cases
|
|
+ Interrupt flag is not always cleared in between requests
|
|
+ Gzip compression not working for multipart/form-data when
|
|
added to the allowed list using addIncludedMimeTypes.
|
|
+ Miconfigured headerCacheSize in can result in
|
|
IllegalArgumentException
|
|
+ HttpServletResponse.encodeURL not working for URLs starting
|
|
with ../
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 22 15:49:28 UTC 2022 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
- Build with java source and target levels 8
|
|
- Fix javadoc generation on JDK >= 13
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Oct 19 07:13:12 UTC 2021 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
- Make importing of package sun.misc optional since not all jdk
|
|
versions export it
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jul 19 06:58:23 UTC 2021 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
- Update to version 9.4.43.v20210629
|
|
* Fix: bsc#1188438, CVE-2021-34429
|
|
* Changes:
|
|
+ Improve alias checking in PathResource
|
|
+ java.nio.ReadOnlyBufferException
|
|
+ Deprecate support for UTF16 encoding in URIs
|
|
+ Update to spifly 1.3.3
|
|
+ Update to asm 9.1
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jun 9 14:07:47 UTC 2021 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
- Update to version 9.4.42.v20210604
|
|
* Fix: bsc#1187117, CVE-2021-28169
|
|
|
|
-------------------------------------------------------------------
|
|
Fri May 14 16:57:01 UTC 2021 - Ferdinand Thiessen <rpm@fthiessen.de>
|
|
|
|
- Update to version 9.4.40.v20210413
|
|
* Fix: bsc#1184367, CVE-2021-28165 - jetty server high CPU when
|
|
client send data length > 17408
|
|
* Fix: bsc#1184368, CVE-2021-28164 - Normalize ambiguous URIs
|
|
* Fix: bsc#1184366, CVE-2021-28163 - Exclude webapps directory
|
|
from deployment scan
|
|
* Improve handling of unconsumed content
|
|
* Jetty start.jar always reports jetty.tag.version as master
|
|
* HttpConnection.getBytesIn() incorrect for requests with chunked
|
|
content
|
|
* SslConnection compacting
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 12 11:11:07 UTC 2021 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
- Upgrade to upstream version 9.4.38.v20210224
|
|
* Fixes bsc#1182898, CVE-2020-27223
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Dec 7 18:12:50 UTC 2020 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
- Upgrade to upstream version 9.4.35.v20201120
|
|
* Fixes bsc#1179727, CVE-2020-27218
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 19 13:05:09 UTC 2020 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
- Upgrade to upstream version 9.4.30.v20200611
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Apr 2 09:25:19 UTC 2020 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
- Upgrade to upstream version 9.4.27.v20200227
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 28 09:02:29 UTC 2019 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
- Removed patch:
|
|
* jetty-annotations-asm6.patch
|
|
+ not needed when building against ASM7
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Nov 8 10:42:50 UTC 2019 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
- Initial packaging of the websocket submodules of jetty
|
|
9.4.22.v20191022
|