Updating for published CVES (#8274)

* Updating for published CVES Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
2022-07-08 16:50:04 -05:00 · 2022-07-08 16:50:04 -05:00 · 2e18276ff5
parent c1c2bdbb45
commit 2e18276ff5
1 changed files with 35 additions and 3 deletions
--- a/VERSION.txt
+++ b/VERSION.txt
@ -23,18 +23,18 @@ jetty-10.0.10 - 16 June 2022
   precompressed formats with defaults
 + 7891 Better Servlet PathMappings for Regex
 + 7918 PathMappings.asPathSpec does not allow root ServletPathSpec
- + 7935 Review HTTP/2 error handling
+ + 7935 Review HTTP/2 error handling (Resolves CVE-2022-2048)
 + 7975 `ForwardedRequestCustomizer` setters do not clear existing handlers
 + 7977 UpgradeHttpServletRequest.setAttribute &
   UpgradeHttpServletRequest.removeAttribute can throw NullPointerException
 + 7994 Ability to construct a detached client Request
- + 8014 Review HttpRequest URI construction
+ + 8014 Review HttpRequest URI construction (Resolves CVE-2022-2047)
 + 8057 Support Http Response 103 (Early Hints)
 + 8067 Wall time usage in DoSFilter RateTracker results in false positive
   alert
 + 8088 Add option to configure exitVm on ShutdownMonitor from System
   properties
- + 8161 Improve SSLConnection buffers handling
+ + 8161 Improve SSLConnection buffers handling (Resolves CVE-2022-2191)

 jetty-10.0.9 - 30 March 2022
 + 5681 Unrecognized jetty-home/start.jar command line option not reported
@ -133,6 +133,38 @@ jetty-10.0.8 - 07 February 2022
 + 7524 Missing package in JmxConfiguration
 + 7529 Upgrade quiche to version 0.11.0

+jetty-9.4.48.v20220622 - 21 June 2022
+ + 8184 All suffix globs except first fail to match if path has . character in
+   prefix
+
+jetty-9.4.47.v20220610 - 10 June 2022
+ + 4717 High CPU spikes with jetty winstone threads
+ + 7748 Allow overriding of url-pattern mapping in ServletContextHandler to
+   allow for regex or uri-template matching
+ + 7801 Session cookie can be set twice after session id changed
+ + 7855 Remove accidentally included package-info.class in all packages
+ + 7858 GZipHandler does not play nice with other handlers in HandlerCollection
+ + 7863 Default servlet drops first accept-encoding header if there is more
+   than one.
+ + 7918 PathMappings.asPathSpec does not allow root ServletPathSpec
+ + 7935 Review HTTP/2 error handling (Resolves CVE-2022-2048)
+ + 8014 Review HttpRequest URI construction (Resolves CVE-2022-2047)
+ + 8067 Wall time usage in DoSFilter RateTracker results in false positive
+   alert
+ + 8088 Add option to configure exitVm on ShutdownMonitor from System
+   properties
+
+jetty-9.4.46.v20220331 - 31 March 2022
+ + 5965 Option --write-module-graph produces wrong .dot file
+ + 6756 Deprecate `/jetty-spring/` artifact in `jetty-9.4.x` releases
+ + 7518 ArrayTrie getBest fails to match the empty string entry in certain
+   cases
+ + 7548 Interrupt flag is not always cleared in between requests
+ + 7567 Gzip compression not working for multipart/form-data when added to the
+   allowed list using addIncludedMimeTypes.
+ + 7569 Miconfigured headerCacheSize in can result in IllegalArgumentException
+ + 7615 HttpServletResponse.encodeURL not working for URLs starting with ../
+
 jetty-9.4.45.v20220203 - 03 February 2022
 + 4275 Path Normalization/Traversal - Context Matching
 + 6497 Replace SameFileAliasChecker