Merge pull request #6136 from eclipse/jetty-10.0.x-update-versiontxt-cves

Update VERSION.txt
This commit is contained in:
Joakim Erdfelt 2021-04-05 15:18:46 -05:00 committed by GitHub
commit 25b96faa86
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 18 additions and 26 deletions

View File

@ -27,13 +27,13 @@ jetty-10.0.2 - 26 March 2021
+ 6037 Review logging modules for j.u.l. + 6037 Review logging modules for j.u.l.
+ 6050 Websocket: NotUtf8Exception after upgrade 9.4.35 -> 9.4.36 or newer + 6050 Websocket: NotUtf8Exception after upgrade 9.4.35 -> 9.4.36 or newer
+ 6063 Allow override of hazelcast version when using module + 6063 Allow override of hazelcast version when using module
+ 6072 jetty server high CPU when client send data length > 17408 + 6072 jetty server high CPU when client send data length > 17408 - Resolves CVE-2021-28165
+ 6076 Embedded Jetty throws null pointer exception + 6076 Embedded Jetty throws null pointer exception
+ 6082 SslConnection compacting + 6082 SslConnection compacting
+ 6085 Jetty keeps Sessions in use after "Duplicate valid session cookies" + 6085 Jetty keeps Sessions in use after "Duplicate valid session cookies"
Message Message
+ 6101 Normalise ambiguous URIs + 6101 Normalize ambiguous URIs - Resolves CVE-2021-28164
+ 6102 Exclude webapps directory from deployment scan + 6102 Exclude webapps directory from deployment scan - Resolves CVE-2021-28163
jetty-10.0.1 - 19 February 2021 jetty-10.0.1 - 19 February 2021
+ 1673 jetty-demo/etc/keystore should not be distributed + 1673 jetty-demo/etc/keystore should not be distributed
@ -133,8 +133,22 @@ jetty-10.0.0.beta3 - 21 October 2020
+ 5475 Update to spifly 1.3.2 and asm 9 + 5475 Update to spifly 1.3.2 and asm 9
+ 5480 NPE from WebInfConfiguration.deconfigure during WebAppContext shutdown + 5480 NPE from WebInfConfiguration.deconfigure during WebAppContext shutdown
jetty-9.4.39.v20210325 - 25 March 2021
+ 6034 SslContextFactory may select a wildcard certificate during SNI
selection when a more specific SSL certificate is present
+ 6050 Websocket: NotUtf8Exception after upgrade to 9.4.36 or newer
+ 6052 Cleanup TypeUtil and ModuleLocation to allow jetty-client/hybrid to
work on Android
+ 6063 Allow override of hazelcast version when using module
+ 6072 jetty server high CPU when client send data length > 17408 - Resolves CVE-2021-28165
+ 6085 Jetty keeps Sessions in use after "Duplicate valid session cookies"
Message
+ 6101 Normalize ambiguous URIs - Resolves CVE-2021-28164
+ 6102 Exclude webapps directory from deployment scan - Resolves CVE-2021-28163
jetty-9.4.38.v20210224 - 24 February 2021 jetty-9.4.38.v20210224 - 24 February 2021
+ 4275 Path Normalization/Traversal - Context Matching + 4275 Path Normalization/Traversal - Context Matching
+ 5963 Improve QuotedQualityCSV for CVE-2020-27223
+ 5977 Cache-Control header set by a filter is override by the value from + 5977 Cache-Control header set by a filter is override by the value from
DefaultServlet configuration DefaultServlet configuration
+ 5994 QueuedThreadPool "free" threads + 5994 QueuedThreadPool "free" threads
@ -158,7 +172,7 @@ jetty-9.4.37.v20210219 - 19 February 2021
+ 5979 Configurable gzip Etag extension + 5979 Configurable gzip Etag extension
jetty-9.4.36.v20210114 - 14 January 2021 jetty-9.4.36.v20210114 - 14 January 2021
+ 5310 Jetty Http2 client discards the response fames when there is GOAWAY and + 5310 Jetty Http2 client discards the response frames when there is GOAWAY and
sends RST_STREAM sends RST_STREAM
+ 5499 Improve temporary buffer usage for WebSocket PerMessageDeflate + 5499 Improve temporary buffer usage for WebSocket PerMessageDeflate
+ 5633 Allow to configure HttpClient request authority + 5633 Allow to configure HttpClient request authority
@ -420,7 +434,6 @@ jetty-9.4.31.v20200723 - 23 July 2020
+ 5057 `javax.servlet.include.context_path` attribute on root context. should + 5057 `javax.servlet.include.context_path` attribute on root context. should
be empty string, but is `"/"` be empty string, but is `"/"`
+ 5064 NotSerializableException for OpenIdConfiguration + 5064 NotSerializableException for OpenIdConfiguration
+ 5069 HttpClientTimeoutTests can occasionally fail due to unreachable network
jetty-9.4.30.v20200611 - 11 June 2020 jetty-9.4.30.v20200611 - 11 June 2020
+ 4776 Incorrect path matching for WebSocket using PathMappings + 4776 Incorrect path matching for WebSocket using PathMappings
@ -723,10 +736,8 @@ jetty-9.4.20.v20190813 - 13 August 2019
+ 3648 javax.websocket client container incorrectly creates Server + 3648 javax.websocket client container incorrectly creates Server
SslContextFactory SslContextFactory
+ 3698 Missing WebSocket ServerContainer after server restart + 3698 Missing WebSocket ServerContainer after server restart
+ 3700 stackoverflow in WebAppClassLoaderUrlStreamTest
+ 3708 Swap various java.lang.String replace() methods for better performant + 3708 Swap various java.lang.String replace() methods for better performant
ones ones
+ 3731 Add testing of CDI behaviors
+ 3736 NPE from WebAppClassLoader during CDI + 3736 NPE from WebAppClassLoader during CDI
+ 3746 ClassCastException in WriteFlusher.java - IdleState cannot be cast to + 3746 ClassCastException in WriteFlusher.java - IdleState cannot be cast to
FailedState FailedState
@ -928,7 +939,6 @@ jetty-9.2.27.v20190403 - 03 April 2019
jetty-9.4.14.v20181114 - 14 November 2018 jetty-9.4.14.v20181114 - 14 November 2018
+ 3097 Duplicated programmatic Servlet Listeners causing duplicate calls + 3097 Duplicated programmatic Servlet Listeners causing duplicate calls
+ 3103 HttpClientLoadTest reports a leak in byte buffer
+ 3104 Align jetty-schemas version within apache-jsp module as well + 3104 Align jetty-schemas version within apache-jsp module as well
jetty-9.4.13.v20181111 - 11 November 2018 jetty-9.4.13.v20181111 - 11 November 2018
@ -992,8 +1002,6 @@ jetty-9.4.12.v20180830 - 30 August 2018
Runtimes Runtimes
+ 2075 Deprecating MultiException + 2075 Deprecating MultiException
+ 2135 Android 8.1 needs direct buffers for SSL/TLS to work + 2135 Android 8.1 needs direct buffers for SSL/TLS to work
+ 2233 JDK9 Test failure:
org.eclipse.jetty.server.ThreadStarvationTest.testWriteStarvation[https/ssl/tls]
+ 2342 File Descriptor Leak: Conscrypt: "Too many open files" + 2342 File Descriptor Leak: Conscrypt: "Too many open files"
+ 2349 HTTP/2 max streams enforcement + 2349 HTTP/2 max streams enforcement
+ 2398 MultiPartFormInputStream parsing should default to UTF-8, but allowed + 2398 MultiPartFormInputStream parsing should default to UTF-8, but allowed
@ -1003,9 +1011,6 @@ jetty-9.4.12.v20180830 - 30 August 2018
+ 2530 Client waits forever for cancelled large uploads + 2530 Client waits forever for cancelled large uploads
+ 2560 Review PathResource exception handling + 2560 Review PathResource exception handling
+ 2565 HashLoginService silently ignores file:/ config paths from 9.3.x + 2565 HashLoginService silently ignores file:/ config paths from 9.3.x
+ 2592 Failing test on Windows:
ServerTimeoutsTest.testAsyncWriteIdleTimeoutFires[transport: HTTP]
+ 2597 Failing tests on windows UnixSocketTest
+ 2631 IllegalArgumentException: Buffering capacity exceeded, from HttpClient + 2631 IllegalArgumentException: Buffering capacity exceeded, from HttpClient
HEAD Requests to resources referencing large body contents HEAD Requests to resources referencing large body contents
+ 2648 LdapLoginModule fails with forceBinding=true under Java 9 + 2648 LdapLoginModule fails with forceBinding=true under Java 9
@ -1067,7 +1072,6 @@ jetty-9.4.12.v20180830 - 30 August 2018
hot redeploy on Windows hot redeploy on Windows
+ 2836 Sequential HTTPS requests may not reuse the same connection + 2836 Sequential HTTPS requests may not reuse the same connection
+ 2844 Clean up webdefault.xml and DefaultServlet doc + 2844 Clean up webdefault.xml and DefaultServlet doc
+ 2846 add unit test for ldap module
+ 2847 Wrap Connection.Listener invocations in try/catch + 2847 Wrap Connection.Listener invocations in try/catch
+ 2860 Leakage of HttpDestinations in HttpClient + 2860 Leakage of HttpDestinations in HttpClient
+ 2871 Server reads -1 after client resets HTTP/2 stream + 2871 Server reads -1 after client resets HTTP/2 stream
@ -1426,7 +1430,6 @@ jetty-9.4.7.v20170914 - 14 September 2017
+ 1759 HTTP/2: producer can block in onReset + 1759 HTTP/2: producer can block in onReset
+ 1766 JettyClientContainerProvider does not actually use common objects + 1766 JettyClientContainerProvider does not actually use common objects
correctly correctly
+ 1789 PropertyUserStoreTest failures in Windows
+ 1790 HTTP/2: 100% CPU usage seen during close/shutdown of endpoint + 1790 HTTP/2: 100% CPU usage seen during close/shutdown of endpoint
+ 1792 Accept ISO-8859-1 characters in response reason + 1792 Accept ISO-8859-1 characters in response reason
+ 1794 Config properties typos in session-store-cache.mod + 1794 Config properties typos in session-store-cache.mod
@ -1439,8 +1442,6 @@ jetty-9.4.7.v20170914 - 14 September 2017
+ 1809 NPE: StandardDescriptorProcessor.visitSecurityConstraint() with null/no + 1809 NPE: StandardDescriptorProcessor.visitSecurityConstraint() with null/no
security manager security manager
+ 1814 Move JavaVersion to jetty-util for future Java 9 support requirements + 1814 Move JavaVersion to jetty-util for future Java 9 support requirements
+ 1816 HttpClientTest.testClientCannotValidateServerCertificate() hangs with
JDK 9
+ 475546 ClosedChannelException when connection to HTTPS over HTTP proxy with + 475546 ClosedChannelException when connection to HTTPS over HTTP proxy with
CONNECT CONNECT
@ -1662,11 +1663,8 @@ jetty-9.4.3.v20170317 - 17 March 2017
jetty-9.3.17.v20170317 - 17 March 2017 jetty-9.3.17.v20170317 - 17 March 2017
+ 329 Javadoc for HttpTester and ServletTester needs to reference limited HTTP + 329 Javadoc for HttpTester and ServletTester needs to reference limited HTTP
version scope version scope
+ 609 websocket ClientCloseTest testServerNoCloseHandshake is failing
+ 1015 Ensure jetty-distribution excludes git / temp files + 1015 Ensure jetty-distribution excludes git / temp files
+ 1047 ReadPendingException and then thread death + 1047 ReadPendingException and then thread death
+ 1049 test-jetty-osgi test exits/crashes the surefire forked JVM
+ 1282 ByteArrayEndPointTest.testIdle() failure
+ 1296 Introduce HTTP parser "content complete" event + 1296 Introduce HTTP parser "content complete" event
+ 1326 Jetty shutdown command got NullPointerException (http2 module added to + 1326 Jetty shutdown command got NullPointerException (http2 module added to
start) start)
@ -1686,7 +1684,6 @@ jetty-9.3.17.v20170317 - 17 March 2017
+ 1390 HashLoginService and "this.web-inf.url" property are incompatible + 1390 HashLoginService and "this.web-inf.url" property are incompatible
+ 1394 Default OS Locale/Encoding/Charset can cause test failures + 1394 Default OS Locale/Encoding/Charset can cause test failures
+ 1396 Set-Cookie produced by Jetty is invalid for RFC6265 and Chrome + 1396 Set-Cookie produced by Jetty is invalid for RFC6265 and Chrome
+ 1399 SlowClientTest is failing on CI
+ 1401 HttpOutput.recycle() does not clear the write listener + 1401 HttpOutput.recycle() does not clear the write listener
jetty-9.4.2.v20170220 - 20 February 2017 jetty-9.4.2.v20170220 - 20 February 2017
@ -1790,9 +1787,6 @@ jetty-9.3.16.v20170120 - 20 January 2017
+ 1229 ClassLoader constraint issue when using NativeWebSocketConfiguration + 1229 ClassLoader constraint issue when using NativeWebSocketConfiguration
with WEB-INF/lib/jetty-http.jar present with WEB-INF/lib/jetty-http.jar present
+ 1234 onBadMessage called from with handled message + 1234 onBadMessage called from with handled message
+ 1259 HostnameVerificationTest.simpleGetWithHostnameVerificationEnabledTest
is broken
+ 1261 Intermittent H2C test failure AsyncIOServletTest.testAsyncReadEarlyEOF
+ 1262 BufferUtil.isMappedBuffer() uses reflection on private JDK fields + 1262 BufferUtil.isMappedBuffer() uses reflection on private JDK fields
+ 1265 JAXB not available in JDK 9 + 1265 JAXB not available in JDK 9
+ 1267 Request.getRemoteUser can throw undeclared IllegalStateException via + 1267 Request.getRemoteUser can throw undeclared IllegalStateException via
@ -1806,7 +1800,6 @@ jetty-9.3.16.v20170120 - 20 January 2017
+ 1275 Get rid of Mockito + 1275 Get rid of Mockito
+ 1276 Remove org.eclipse.jetty.websocket.server.WebSocketServerFactory from + 1276 Remove org.eclipse.jetty.websocket.server.WebSocketServerFactory from
SPI SPI
+ 1277 http2 alpn test error
jetty-9.2.21.v20170120 - 20 January 2017 jetty-9.2.21.v20170120 - 20 January 2017
+ 592 Support no-value Host header in HttpParser + 592 Support no-value Host header in HttpParser
@ -1842,7 +1835,6 @@ jetty-9.3.15.v20161220 - 20 December 2016
+ 1099 PushCacheFilter pushes POST requests + 1099 PushCacheFilter pushes POST requests
+ 1108 Please improve logging in SslContextFactory when there are no approved + 1108 Please improve logging in SslContextFactory when there are no approved
cipher suites cipher suites
+ 1114 Add testcase for WSUF for stop/start of the Server
+ 1118 Filter.destroy() conflicts with ContainerLifeCycle.destroy() in + 1118 Filter.destroy() conflicts with ContainerLifeCycle.destroy() in
WebSocketUpgradeFilter WebSocketUpgradeFilter
+ 1123 Broken lifecycle for WebSocket's mappings + 1123 Broken lifecycle for WebSocket's mappings