diff --git a/VERSION.txt b/VERSION.txt index 2a5f5a996b1..9a808978213 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -27,13 +27,13 @@ jetty-10.0.2 - 26 March 2021 + 6037 Review logging modules for j.u.l. + 6050 Websocket: NotUtf8Exception after upgrade 9.4.35 -> 9.4.36 or newer + 6063 Allow override of hazelcast version when using module - + 6072 jetty server high CPU when client send data length > 17408 + + 6072 jetty server high CPU when client send data length > 17408 - Resolves CVE-2021-28165 + 6076 Embedded Jetty throws null pointer exception + 6082 SslConnection compacting + 6085 Jetty keeps Sessions in use after "Duplicate valid session cookies" Message - + 6101 Normalise ambiguous URIs - + 6102 Exclude webapps directory from deployment scan + + 6101 Normalize ambiguous URIs - Resolves CVE-2021-28164 + + 6102 Exclude webapps directory from deployment scan - Resolves CVE-2021-28163 jetty-10.0.1 - 19 February 2021 + 1673 jetty-demo/etc/keystore should not be distributed @@ -133,8 +133,22 @@ jetty-10.0.0.beta3 - 21 October 2020 + 5475 Update to spifly 1.3.2 and asm 9 + 5480 NPE from WebInfConfiguration.deconfigure during WebAppContext shutdown +jetty-9.4.39.v20210325 - 25 March 2021 + + 6034 SslContextFactory may select a wildcard certificate during SNI + selection when a more specific SSL certificate is present + + 6050 Websocket: NotUtf8Exception after upgrade to 9.4.36 or newer + + 6052 Cleanup TypeUtil and ModuleLocation to allow jetty-client/hybrid to + work on Android + + 6063 Allow override of hazelcast version when using module + + 6072 jetty server high CPU when client send data length > 17408 - Resolves CVE-2021-28165 + + 6085 Jetty keeps Sessions in use after "Duplicate valid session cookies" + Message + + 6101 Normalize ambiguous URIs - Resolves CVE-2021-28164 + + 6102 Exclude webapps directory from deployment scan - Resolves CVE-2021-28163 + jetty-9.4.38.v20210224 - 24 February 2021 + 4275 Path Normalization/Traversal - Context Matching + + 5963 Improve QuotedQualityCSV for CVE-2020-27223 + 5977 Cache-Control header set by a filter is override by the value from DefaultServlet configuration + 5994 QueuedThreadPool "free" threads @@ -158,7 +172,7 @@ jetty-9.4.37.v20210219 - 19 February 2021 + 5979 Configurable gzip Etag extension jetty-9.4.36.v20210114 - 14 January 2021 - + 5310 Jetty Http2 client discards the response fames when there is GOAWAY and + + 5310 Jetty Http2 client discards the response frames when there is GOAWAY and sends RST_STREAM + 5499 Improve temporary buffer usage for WebSocket PerMessageDeflate + 5633 Allow to configure HttpClient request authority @@ -420,7 +434,6 @@ jetty-9.4.31.v20200723 - 23 July 2020 + 5057 `javax.servlet.include.context_path` attribute on root context. should be empty string, but is `"/"` + 5064 NotSerializableException for OpenIdConfiguration - + 5069 HttpClientTimeoutTests can occasionally fail due to unreachable network jetty-9.4.30.v20200611 - 11 June 2020 + 4776 Incorrect path matching for WebSocket using PathMappings @@ -723,10 +736,8 @@ jetty-9.4.20.v20190813 - 13 August 2019 + 3648 javax.websocket client container incorrectly creates Server SslContextFactory + 3698 Missing WebSocket ServerContainer after server restart - + 3700 stackoverflow in WebAppClassLoaderUrlStreamTest + 3708 Swap various java.lang.String replace() methods for better performant ones - + 3731 Add testing of CDI behaviors + 3736 NPE from WebAppClassLoader during CDI + 3746 ClassCastException in WriteFlusher.java - IdleState cannot be cast to FailedState @@ -928,7 +939,6 @@ jetty-9.2.27.v20190403 - 03 April 2019 jetty-9.4.14.v20181114 - 14 November 2018 + 3097 Duplicated programmatic Servlet Listeners causing duplicate calls - + 3103 HttpClientLoadTest reports a leak in byte buffer + 3104 Align jetty-schemas version within apache-jsp module as well jetty-9.4.13.v20181111 - 11 November 2018 @@ -992,8 +1002,6 @@ jetty-9.4.12.v20180830 - 30 August 2018 Runtimes + 2075 Deprecating MultiException + 2135 Android 8.1 needs direct buffers for SSL/TLS to work - + 2233 JDK9 Test failure: - org.eclipse.jetty.server.ThreadStarvationTest.testWriteStarvation[https/ssl/tls] + 2342 File Descriptor Leak: Conscrypt: "Too many open files" + 2349 HTTP/2 max streams enforcement + 2398 MultiPartFormInputStream parsing should default to UTF-8, but allowed @@ -1003,9 +1011,6 @@ jetty-9.4.12.v20180830 - 30 August 2018 + 2530 Client waits forever for cancelled large uploads + 2560 Review PathResource exception handling + 2565 HashLoginService silently ignores file:/ config paths from 9.3.x - + 2592 Failing test on Windows: - ServerTimeoutsTest.testAsyncWriteIdleTimeoutFires[transport: HTTP] - + 2597 Failing tests on windows UnixSocketTest + 2631 IllegalArgumentException: Buffering capacity exceeded, from HttpClient HEAD Requests to resources referencing large body contents + 2648 LdapLoginModule fails with forceBinding=true under Java 9 @@ -1067,7 +1072,6 @@ jetty-9.4.12.v20180830 - 30 August 2018 hot redeploy on Windows + 2836 Sequential HTTPS requests may not reuse the same connection + 2844 Clean up webdefault.xml and DefaultServlet doc - + 2846 add unit test for ldap module + 2847 Wrap Connection.Listener invocations in try/catch + 2860 Leakage of HttpDestinations in HttpClient + 2871 Server reads -1 after client resets HTTP/2 stream @@ -1426,7 +1430,6 @@ jetty-9.4.7.v20170914 - 14 September 2017 + 1759 HTTP/2: producer can block in onReset + 1766 JettyClientContainerProvider does not actually use common objects correctly - + 1789 PropertyUserStoreTest failures in Windows + 1790 HTTP/2: 100% CPU usage seen during close/shutdown of endpoint + 1792 Accept ISO-8859-1 characters in response reason + 1794 Config properties typos in session-store-cache.mod @@ -1439,8 +1442,6 @@ jetty-9.4.7.v20170914 - 14 September 2017 + 1809 NPE: StandardDescriptorProcessor.visitSecurityConstraint() with null/no security manager + 1814 Move JavaVersion to jetty-util for future Java 9 support requirements - + 1816 HttpClientTest.testClientCannotValidateServerCertificate() hangs with - JDK 9 + 475546 ClosedChannelException when connection to HTTPS over HTTP proxy with CONNECT @@ -1662,11 +1663,8 @@ jetty-9.4.3.v20170317 - 17 March 2017 jetty-9.3.17.v20170317 - 17 March 2017 + 329 Javadoc for HttpTester and ServletTester needs to reference limited HTTP version scope - + 609 websocket ClientCloseTest testServerNoCloseHandshake is failing + 1015 Ensure jetty-distribution excludes git / temp files + 1047 ReadPendingException and then thread death - + 1049 test-jetty-osgi test exits/crashes the surefire forked JVM - + 1282 ByteArrayEndPointTest.testIdle() failure + 1296 Introduce HTTP parser "content complete" event + 1326 Jetty shutdown command got NullPointerException (http2 module added to start) @@ -1686,7 +1684,6 @@ jetty-9.3.17.v20170317 - 17 March 2017 + 1390 HashLoginService and "this.web-inf.url" property are incompatible + 1394 Default OS Locale/Encoding/Charset can cause test failures + 1396 Set-Cookie produced by Jetty is invalid for RFC6265 and Chrome - + 1399 SlowClientTest is failing on CI + 1401 HttpOutput.recycle() does not clear the write listener jetty-9.4.2.v20170220 - 20 February 2017 @@ -1790,9 +1787,6 @@ jetty-9.3.16.v20170120 - 20 January 2017 + 1229 ClassLoader constraint issue when using NativeWebSocketConfiguration with WEB-INF/lib/jetty-http.jar present + 1234 onBadMessage called from with handled message - + 1259 HostnameVerificationTest.simpleGetWithHostnameVerificationEnabledTest - is broken - + 1261 Intermittent H2C test failure AsyncIOServletTest.testAsyncReadEarlyEOF + 1262 BufferUtil.isMappedBuffer() uses reflection on private JDK fields + 1265 JAXB not available in JDK 9 + 1267 Request.getRemoteUser can throw undeclared IllegalStateException via @@ -1806,7 +1800,6 @@ jetty-9.3.16.v20170120 - 20 January 2017 + 1275 Get rid of Mockito + 1276 Remove org.eclipse.jetty.websocket.server.WebSocketServerFactory from SPI - + 1277 http2 alpn test error jetty-9.2.21.v20170120 - 20 January 2017 + 592 Support no-value Host header in HttpParser @@ -1842,7 +1835,6 @@ jetty-9.3.15.v20161220 - 20 December 2016 + 1099 PushCacheFilter pushes POST requests + 1108 Please improve logging in SslContextFactory when there are no approved cipher suites - + 1114 Add testcase for WSUF for stop/start of the Server + 1118 Filter.destroy() conflicts with ContainerLifeCycle.destroy() in WebSocketUpgradeFilter + 1123 Broken lifecycle for WebSocket's mappings