From 3a86b0c430c7edac1df4d728e958dda701500b95 Mon Sep 17 00:00:00 2001 From: Joakim Erdfelt Date: Mon, 5 Apr 2021 12:14:40 -0500 Subject: [PATCH] Update VERSION.txt + Add CVE references + Remove reference to fixing testcases Signed-off-by: Joakim Erdfelt --- VERSION.txt | 32 +++++--------------------------- 1 file changed, 5 insertions(+), 27 deletions(-) diff --git a/VERSION.txt b/VERSION.txt index fecc16e1048..d63bc6a1a49 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -3,15 +3,15 @@ jetty-9.4.40-SNAPSHOT jetty-9.4.39.v20210325 - 25 March 2021 + 6034 SslContextFactory may select a wildcard certificate during SNI selection when a more specific SSL certificate is present - + 6050 Websocket: NotUtf8Exception after upgrade 9.4.35 -> 9.4.36 or newer + + 6050 Websocket: NotUtf8Exception after upgrade to 9.4.36 or newer + 6052 Cleanup TypeUtil and ModuleLocation to allow jetty-client/hybrid to work on Android + 6063 Allow override of hazelcast version when using module - + 6072 jetty server high CPU when client send data length > 17408 + + 6072 jetty server high CPU when client send data length > 17408 - Resolves CVE-2021-28165 + 6085 Jetty keeps Sessions in use after "Duplicate valid session cookies" Message - + 6101 Normalise ambiguous URIs - + 6102 Exclude webapps directory from deployment scan + + 6101 Normalise ambiguous URIs - Resolves CVE-2021-28164 + + 6102 Exclude webapps directory from deployment scan - Resolves CVE-2021-28163 jetty-9.4.38.v20210224 - 24 February 2021 + 4275 Path Normalization/Traversal - Context Matching @@ -39,7 +39,7 @@ jetty-9.4.37.v20210219 - 19 February 2021 + 5979 Configurable gzip Etag extension jetty-9.4.36.v20210114 - 14 January 2021 - + 5310 Jetty Http2 client discards the response fames when there is GOAWAY and + + 5310 Jetty Http2 client discards the response frames when there is GOAWAY and sends RST_STREAM + 5499 Improve temporary buffer usage for WebSocket PerMessageDeflate + 5633 Allow to configure HttpClient request authority @@ -167,7 +167,6 @@ jetty-9.4.31.v20200723 - 23 July 2020 + 5057 `javax.servlet.include.context_path` attribute on root context. should be empty string, but is `"/"` + 5064 NotSerializableException for OpenIdConfiguration - + 5069 HttpClientTimeoutTests can occasionally fail due to unreachable network jetty-9.4.30.v20200611 - 11 June 2020 + 4776 Incorrect path matching for WebSocket using PathMappings @@ -470,10 +469,8 @@ jetty-9.4.20.v20190813 - 13 August 2019 + 3648 javax.websocket client container incorrectly creates Server SslContextFactory + 3698 Missing WebSocket ServerContainer after server restart - + 3700 stackoverflow in WebAppClassLoaderUrlStreamTest + 3708 Swap various java.lang.String replace() methods for better performant ones - + 3731 Add testing of CDI behaviors + 3736 NPE from WebAppClassLoader during CDI + 3746 ClassCastException in WriteFlusher.java - IdleState cannot be cast to FailedState @@ -675,7 +672,6 @@ jetty-9.2.27.v20190403 - 03 April 2019 jetty-9.4.14.v20181114 - 14 November 2018 + 3097 Duplicated programmatic Servlet Listeners causing duplicate calls - + 3103 HttpClientLoadTest reports a leak in byte buffer + 3104 Align jetty-schemas version within apache-jsp module as well jetty-9.4.13.v20181111 - 11 November 2018 @@ -739,8 +735,6 @@ jetty-9.4.12.v20180830 - 30 August 2018 Runtimes + 2075 Deprecating MultiException + 2135 Android 8.1 needs direct buffers for SSL/TLS to work - + 2233 JDK9 Test failure: - org.eclipse.jetty.server.ThreadStarvationTest.testWriteStarvation[https/ssl/tls] + 2342 File Descriptor Leak: Conscrypt: "Too many open files" + 2349 HTTP/2 max streams enforcement + 2398 MultiPartFormInputStream parsing should default to UTF-8, but allowed @@ -750,9 +744,6 @@ jetty-9.4.12.v20180830 - 30 August 2018 + 2530 Client waits forever for cancelled large uploads + 2560 Review PathResource exception handling + 2565 HashLoginService silently ignores file:/ config paths from 9.3.x - + 2592 Failing test on Windows: - ServerTimeoutsTest.testAsyncWriteIdleTimeoutFires[transport: HTTP] - + 2597 Failing tests on windows UnixSocketTest + 2631 IllegalArgumentException: Buffering capacity exceeded, from HttpClient HEAD Requests to resources referencing large body contents + 2648 LdapLoginModule fails with forceBinding=true under Java 9 @@ -814,7 +805,6 @@ jetty-9.4.12.v20180830 - 30 August 2018 hot redeploy on Windows + 2836 Sequential HTTPS requests may not reuse the same connection + 2844 Clean up webdefault.xml and DefaultServlet doc - + 2846 add unit test for ldap module + 2847 Wrap Connection.Listener invocations in try/catch + 2860 Leakage of HttpDestinations in HttpClient + 2871 Server reads -1 after client resets HTTP/2 stream @@ -1173,7 +1163,6 @@ jetty-9.4.7.v20170914 - 14 September 2017 + 1759 HTTP/2: producer can block in onReset + 1766 JettyClientContainerProvider does not actually use common objects correctly - + 1789 PropertyUserStoreTest failures in Windows + 1790 HTTP/2: 100% CPU usage seen during close/shutdown of endpoint + 1792 Accept ISO-8859-1 characters in response reason + 1794 Config properties typos in session-store-cache.mod @@ -1186,8 +1175,6 @@ jetty-9.4.7.v20170914 - 14 September 2017 + 1809 NPE: StandardDescriptorProcessor.visitSecurityConstraint() with null/no security manager + 1814 Move JavaVersion to jetty-util for future Java 9 support requirements - + 1816 HttpClientTest.testClientCannotValidateServerCertificate() hangs with - JDK 9 + 475546 ClosedChannelException when connection to HTTPS over HTTP proxy with CONNECT @@ -1409,11 +1396,8 @@ jetty-9.4.3.v20170317 - 17 March 2017 jetty-9.3.17.v20170317 - 17 March 2017 + 329 Javadoc for HttpTester and ServletTester needs to reference limited HTTP version scope - + 609 websocket ClientCloseTest testServerNoCloseHandshake is failing + 1015 Ensure jetty-distribution excludes git / temp files + 1047 ReadPendingException and then thread death - + 1049 test-jetty-osgi test exits/crashes the surefire forked JVM - + 1282 ByteArrayEndPointTest.testIdle() failure + 1296 Introduce HTTP parser "content complete" event + 1326 Jetty shutdown command got NullPointerException (http2 module added to start) @@ -1433,7 +1417,6 @@ jetty-9.3.17.v20170317 - 17 March 2017 + 1390 HashLoginService and "this.web-inf.url" property are incompatible + 1394 Default OS Locale/Encoding/Charset can cause test failures + 1396 Set-Cookie produced by Jetty is invalid for RFC6265 and Chrome - + 1399 SlowClientTest is failing on CI + 1401 HttpOutput.recycle() does not clear the write listener jetty-9.4.2.v20170220 - 20 February 2017 @@ -1537,9 +1520,6 @@ jetty-9.3.16.v20170120 - 20 January 2017 + 1229 ClassLoader constraint issue when using NativeWebSocketConfiguration with WEB-INF/lib/jetty-http.jar present + 1234 onBadMessage called from with handled message - + 1259 HostnameVerificationTest.simpleGetWithHostnameVerificationEnabledTest - is broken - + 1261 Intermittent H2C test failure AsyncIOServletTest.testAsyncReadEarlyEOF + 1262 BufferUtil.isMappedBuffer() uses reflection on private JDK fields + 1265 JAXB not available in JDK 9 + 1267 Request.getRemoteUser can throw undeclared IllegalStateException via @@ -1553,7 +1533,6 @@ jetty-9.3.16.v20170120 - 20 January 2017 + 1275 Get rid of Mockito + 1276 Remove org.eclipse.jetty.websocket.server.WebSocketServerFactory from SPI - + 1277 http2 alpn test error jetty-9.2.21.v20170120 - 20 January 2017 + 592 Support no-value Host header in HttpParser @@ -1589,7 +1568,6 @@ jetty-9.3.15.v20161220 - 20 December 2016 + 1099 PushCacheFilter pushes POST requests + 1108 Please improve logging in SslContextFactory when there are no approved cipher suites - + 1114 Add testcase for WSUF for stop/start of the Server + 1118 Filter.destroy() conflicts with ContainerLifeCycle.destroy() in WebSocketUpgradeFilter + 1123 Broken lifecycle for WebSocket's mappings