Updating jetty-10.0.x VERSION.txt from changes in jetty-9.4.x (#10518)
* Updating jetty-10.0.x VERSION.txt from changes in jetty-9.4.x * Making CVE references consistent
This commit is contained in:
Joakim Erdfelt
GitHub
parent
b9cd3216f7
commit
52c9dcaee6
182
VERSION.txt
182
VERSION.txt
|
|
@ -25,7 +25,7 @@ jetty-10.0.16 - 25 August 2023
|
|||
AbstractHTTP2ServerConnectionFactory
|
||||
+ 9772 Improve Quiche certificates deployment
|
||||
+ 9777 CrossOriginFilter does not return Vary header on no-cors mode
|
||||
+ 9795 http3-server is leaking the Jetty logging service to web applications
|
||||
+ 9795 http3-server is leaking the Jetty logging service to web applications
|
||||
+ 9887 Deprecate CGI Servlet (CVE-2023-40167)
|
||||
+ 9895 A MessageTooLargeException doesn't close a WebSocket connection
|
||||
+ 9947 Cannot invoke "org.eclipse.jetty.io.ManagedSelector.getTotalKeys()"
|
||||
|
|
@ -52,6 +52,16 @@ jetty-10.0.16 - 25 August 2023
|
|||
+ 10388 Jetty10 inetaccess mod started error
|
||||
+ 10397 Iso88591StringBuilder.append seems to have a logic error
|
||||
|
||||
jetty-9.4.52.v20230823 - 23 August 2023
|
||||
+ 9476 onCompleteFailure called multiple times
|
||||
+ 9660 OpenId Revoked authentication allows one request (CVE-2023-41900)
|
||||
+ 9887 Deprecate CGI Servlet (CVE-2023-40167)
|
||||
+ 10066 Allow `SAXParserFactory` or `SAXParser` to be configured in Jetty's
|
||||
`XmlParser` class
|
||||
+ 10168 NPE in websocket extension startup
|
||||
+ 10352 Jetty accepts "+" prefixed value in Content-Length (CVE-2023-40167)
|
||||
+ 10337 SizeLimitHandler does not enforce 0 responseLimit
|
||||
|
||||
jetty-10.0.15 - 11 April 2023
|
||||
+ 6184 JEP-411 will deprecate/remove the SecurityManager from the JVM
|
||||
+ 6483 Jetty http client SSL connectivity over CNTLM proxy fails
|
||||
|
|
@ -80,6 +90,12 @@ jetty-10.0.14 - 22 February 2023
|
|||
+ 9337 LowResourceMonitor.getReasons should include detailed reason instead of
|
||||
hard-coded message
|
||||
|
||||
jetty-9.4.51.v20230217 - 17 February 2023
|
||||
+ 9059 IteratingCallback not serializing close() and failed()
|
||||
+ 9181 NPE in SessionHandler.checkRequestedSessionId()
|
||||
+ 9345 Backport Fix for CVE-2023-26048
|
||||
+ 9352 Backport Fix for CVE-2023-26049
|
||||
|
||||
jetty-10.0.13 - 07 December 2022
|
||||
+ 7117 Timeout with Expect 100 continue when using ProxyServlet
|
||||
+ 7286 WebSocket write can time out even if the frame / callback has not been
|
||||
|
|
@ -123,6 +139,11 @@ jetty-10.0.13 - 07 December 2022
|
|||
+ 8942 Use Logback 1.3.x for Jetty 10.0.x
|
||||
+ 9006 WebSocket Message InputStream read() returns signed byte
|
||||
|
||||
jetty-9.4.50.v20221201 - 01 December 2022
|
||||
+ 8774 Added SizeLimitHandler
|
||||
+ 8678 Jetty client is not responding to GO_AWAY packet received from (Jetty)
|
||||
Server and continue to send traffic on same connection
|
||||
|
||||
jetty-10.0.12 - 14 September 2022
|
||||
+ 7970 Maven Plugin - the option to set extraClasspath in the plugin
|
||||
configuration isn't working
|
||||
|
|
@ -163,6 +184,10 @@ jetty-10.0.11 - 21 June 2022
|
|||
+ 8184 All suffix globs except first fail to match if path has `.` character
|
||||
in prefix section
|
||||
|
||||
jetty-9.4.48.v20220622 - 21 June 2022
|
||||
+ 8184 All suffix globs except first fail to match if path has . character in
|
||||
prefix
|
||||
|
||||
jetty-10.0.10 - 16 June 2022
|
||||
+ 1771 Add module for SecuredRedirect support
|
||||
+ 4414 GZipHandler not excluding inflation for specified paths
|
||||
|
|
@ -182,18 +207,47 @@ jetty-10.0.10 - 16 June 2022
|
|||
precompressed formats with defaults
|
||||
+ 7891 Better Servlet PathMappings for Regex
|
||||
+ 7918 PathMappings.asPathSpec does not allow root ServletPathSpec
|
||||
+ 7935 Review HTTP/2 error handling (Resolves CVE-2022-2048)
|
||||
+ 7935 Review HTTP/2 error handling (CVE-2022-2048)
|
||||
+ 7975 `ForwardedRequestCustomizer` setters do not clear existing handlers
|
||||
+ 7977 UpgradeHttpServletRequest.setAttribute &
|
||||
UpgradeHttpServletRequest.removeAttribute can throw NullPointerException
|
||||
+ 7994 Ability to construct a detached client Request
|
||||
+ 8014 Review HttpRequest URI construction (Resolves CVE-2022-2047)
|
||||
+ 8014 Review HttpRequest URI construction (CVE-2022-2047)
|
||||
+ 8057 Support Http Response 103 (Early Hints)
|
||||
+ 8067 Wall time usage in DoSFilter RateTracker results in false positive
|
||||
alert
|
||||
+ 8088 Add option to configure exitVm on ShutdownMonitor from System
|
||||
properties
|
||||
+ 8161 Improve SSLConnection buffers handling (Resolves CVE-2022-2191)
|
||||
+ 8161 Improve SSLConnection buffers handling (CVE-2022-2191)
|
||||
|
||||
|
||||
jetty-9.4.47.v20220610 - 10 June 2022
|
||||
+ 4717 High CPU spikes with jetty winstone threads
|
||||
+ 7748 Allow overriding of url-pattern mapping in ServletContextHandler to
|
||||
allow for regex or uri-template matching
|
||||
+ 7801 Session cookie can be set twice after session id changed
|
||||
+ 7855 Remove accidentally included package-info.class in all packages
|
||||
+ 7858 GZipHandler does not play nice with other handlers in HandlerCollection
|
||||
+ 7863 Default servlet drops first accept-encoding header if there is more
|
||||
than one.
|
||||
+ 7918 PathMappings.asPathSpec does not allow root ServletPathSpec
|
||||
+ 7935 Review HTTP/2 error handling (CVE-2022-2048)
|
||||
+ 8014 Review HttpRequest URI construction (CVE-2022-2047)
|
||||
+ 8067 Wall time usage in DoSFilter RateTracker results in false positive
|
||||
alert
|
||||
+ 8088 Add option to configure exitVm on ShutdownMonitor from System
|
||||
properties
|
||||
|
||||
jetty-9.4.46.v20220331 - 31 March 2022
|
||||
+ 5965 Option --write-module-graph produces wrong .dot file
|
||||
+ 6756 Deprecate `/jetty-spring/` artifact in `jetty-9.4.x` releases
|
||||
+ 7518 ArrayTrie getBest fails to match the empty string entry in certain
|
||||
cases
|
||||
+ 7548 Interrupt flag is not always cleared in between requests
|
||||
+ 7567 Gzip compression not working for multipart/form-data when added to the
|
||||
allowed list using addIncludedMimeTypes.
|
||||
+ 7569 Miconfigured headerCacheSize in can result in IllegalArgumentException
|
||||
+ 7615 HttpServletResponse.encodeURL not working for URLs starting with ../
|
||||
|
||||
jetty-10.0.9 - 30 March 2022
|
||||
+ 5681 Unrecognized jetty-home/start.jar command line option not reported
|
||||
|
|
@ -292,38 +346,6 @@ jetty-10.0.8 - 07 February 2022
|
|||
+ 7524 Missing package in JmxConfiguration
|
||||
+ 7529 Upgrade quiche to version 0.11.0
|
||||
|
||||
jetty-9.4.48.v20220622 - 21 June 2022
|
||||
+ 8184 All suffix globs except first fail to match if path has . character in
|
||||
prefix
|
||||
|
||||
jetty-9.4.47.v20220610 - 10 June 2022
|
||||
+ 4717 High CPU spikes with jetty winstone threads
|
||||
+ 7748 Allow overriding of url-pattern mapping in ServletContextHandler to
|
||||
allow for regex or uri-template matching
|
||||
+ 7801 Session cookie can be set twice after session id changed
|
||||
+ 7855 Remove accidentally included package-info.class in all packages
|
||||
+ 7858 GZipHandler does not play nice with other handlers in HandlerCollection
|
||||
+ 7863 Default servlet drops first accept-encoding header if there is more
|
||||
than one.
|
||||
+ 7918 PathMappings.asPathSpec does not allow root ServletPathSpec
|
||||
+ 7935 Review HTTP/2 error handling (Resolves CVE-2022-2048)
|
||||
+ 8014 Review HttpRequest URI construction (Resolves CVE-2022-2047)
|
||||
+ 8067 Wall time usage in DoSFilter RateTracker results in false positive
|
||||
alert
|
||||
+ 8088 Add option to configure exitVm on ShutdownMonitor from System
|
||||
properties
|
||||
|
||||
jetty-9.4.46.v20220331 - 31 March 2022
|
||||
+ 5965 Option --write-module-graph produces wrong .dot file
|
||||
+ 6756 Deprecate `/jetty-spring/` artifact in `jetty-9.4.x` releases
|
||||
+ 7518 ArrayTrie getBest fails to match the empty string entry in certain
|
||||
cases
|
||||
+ 7548 Interrupt flag is not always cleared in between requests
|
||||
+ 7567 Gzip compression not working for multipart/form-data when added to the
|
||||
allowed list using addIncludedMimeTypes.
|
||||
+ 7569 Miconfigured headerCacheSize in can result in IllegalArgumentException
|
||||
+ 7615 HttpServletResponse.encodeURL not working for URLs starting with ../
|
||||
|
||||
jetty-9.4.45.v20220203 - 03 February 2022
|
||||
+ 4275 Path Normalization/Traversal - Context Matching
|
||||
+ 6497 Replace SameFileAliasChecker
|
||||
|
|
@ -444,7 +466,7 @@ jetty-10.0.6 - 29 June 2021
|
|||
+ 6410 Ensure Jetty IO uses SocketAddress instead of InetSocketAddress
|
||||
+ 6418 Bad and/or missing Require-Capability for osgi.serviceloader
|
||||
+ 6425 Update to asm 9.1
|
||||
+ 6447 Deprecate support for UTF16 encoding in URIs (Resolves CVE-2021-34429)
|
||||
+ 6447 Deprecate support for UTF16 encoding in URIs (CVE-2021-34429)
|
||||
+ 6451 Request#getServletPath() returns null for ROOT mapping
|
||||
+ 6464 Wrong files/lib definitions in certain *-capture.mod files?
|
||||
+ 6473 Improve alias checking in PathResource
|
||||
|
|
@ -504,11 +526,9 @@ jetty-10.0.3 - 20 May 2021
|
|||
+ 6250 Lazily allocate HTTP2Stream data queue
|
||||
+ 6251 Use CyclicTimeout for HTTP2Streams
|
||||
+ 6254 Total timeout not enforced for queued requests
|
||||
+ 6263 Review URI encoding in ConcatServlet & WelcomeFilter (Resolved
|
||||
CVE-2021-28169)
|
||||
+ 6263 Review URI encoding in ConcatServlet & WelcomeFilter (CVE-2021-28169)
|
||||
+ 6272 Reduce allocation in HttpClient when notifying content listeners
|
||||
+ 6277 Better handle exceptions thrown from session destroy listener (Resolved
|
||||
CVE-2021-34428)
|
||||
+ 6277 Better handle exceptions thrown from session destroy listener (CVE-2021-34428)
|
||||
+ 6280 Copy ServletHolder class/instance properly during startWebapp
|
||||
+ 6287 Class loading broken for WebSocketClient used inside webapp
|
||||
|
||||
|
|
@ -539,15 +559,13 @@ jetty-10.0.2 - 26 March 2021
|
|||
+ 6037 Review logging modules for j.u.l
|
||||
+ 6050 Websocket: NotUtf8Exception after upgrade 9.4.35 -> 9.4.36 or newer
|
||||
+ 6063 Allow override of hazelcast version when using module
|
||||
+ 6072 jetty server high CPU when client send data length > 17408 - Resolves
|
||||
CVE-2021-28165
|
||||
+ 6072 jetty server high CPU when client send data length > 17408 (CVE-2021-28165)
|
||||
+ 6076 Embedded Jetty throws null pointer exception
|
||||
+ 6082 SslConnection compacting
|
||||
+ 6085 Jetty keeps Sessions in use after "Duplicate valid session cookies"
|
||||
Message
|
||||
+ 6101 Normalize ambiguous URIs - Resolves CVE-2021-28164
|
||||
+ 6102 Exclude webapps directory from deployment scan - Resolves
|
||||
CVE-2021-28163
|
||||
+ 6101 Normalize ambiguous URIs (CVE-2021-28164)
|
||||
+ 6102 Exclude webapps directory from deployment scan (CVE-2021-28163)
|
||||
|
||||
jetty-10.0.1 - 19 February 2021
|
||||
+ 1673 jetty-demo/etc/keystore should not be distributed
|
||||
|
|
@ -591,7 +609,7 @@ jetty-10.0.1 - 19 February 2021
|
|||
+ 5937 Unnecessary blocking in ResourceService
|
||||
+ 5939 Use unwrapped exception as exception type for error handling
|
||||
+ 5950 Deadlock due to logging inside classloaders
|
||||
+ 5963 Improve QuotedQualityCSV - Resolves CVE-2020-27223
|
||||
+ 5963 Improve QuotedQualityCSV (CVE-2020-27223)
|
||||
+ 5966 jetty-home should not have a webapps/ directory
|
||||
+ 5973 Proxy client TLS authentication example
|
||||
+ 5977 Cache-Control header set by a filter is override by the value from
|
||||
|
|
@ -617,8 +635,7 @@ jetty-10.0.0 - 02 December 2020
|
|||
+ 5555 NPE for servlet with no mapping
|
||||
+ 5562 ArrayTernaryTrie consumes too much memory
|
||||
+ 5575 Add SEARCH as a known HttpMethod
|
||||
+ 5605 java.io.IOException: unconsumed input during http request parsing -
|
||||
Resolves CVE-2020-27218
|
||||
+ 5605 java.io.IOException: unconsumed input during http request parsing (CVE-2020-27218)
|
||||
+ 5633 Allow to configure HttpClient request authority
|
||||
+ 5679 Distro argument --list-all-modules does not work
|
||||
+ 5680 No way to see which modules are enabled for the distro
|
||||
|
|
@ -642,7 +659,7 @@ jetty-10.0.0.beta3 - 21 October 2020
|
|||
+ 5443 Request without Host header fails with NullPointerException in
|
||||
ForwardedRequestCustomizer
|
||||
+ 5448 Request.isSecure() returns false for `https` schemes in Jetty 10
|
||||
+ 5451 Improve Working Directory creation - Resolves CVE-2020-27216
|
||||
+ 5451 Improve Working Directory creation (CVE-2020-27216)
|
||||
+ 5454 Request error context is not reset
|
||||
+ 5475 Update to spifly 1.3.2 and asm 9
|
||||
+ 5480 NPE from WebInfConfiguration.deconfigure during WebAppContext shutdown
|
||||
|
|
@ -786,7 +803,7 @@ jetty-9.4.43.v20210629 - 30 June 2021
|
|||
+ 6382 HttpClient TimeoutException message reports transient values
|
||||
+ 6400 QueuedThreadPool interrupts pool threads when stopped with zero timeout
|
||||
+ 6425 Update to asm 9.1
|
||||
+ 6447 Deprecate support for UTF16 encoding in URIs
|
||||
+ 6447 Deprecate support for UTF16 encoding in URIs (CVE-2021-34429)
|
||||
+ 6470 java.nio.ReadOnlyBufferException
|
||||
+ 6473 Improve alias checking in PathResource
|
||||
|
||||
|
|
@ -809,9 +826,8 @@ jetty-9.4.41.v20210516 - 16 May 2021
|
|||
+ 6227 Better resolve race between `AsyncListener.onTimeout` and
|
||||
`AsyncContext.dispatch`
|
||||
+ 6254 Total timeout not enforced for queued requests
|
||||
+ 6263 Review URI encoding in ConcatServlet & WelcomeFilter (Resolved
|
||||
CVE-2021-28169)
|
||||
+ 6277 Better handle exceptions thrown from session destroy listener
|
||||
+ 6263 Review URI encoding in ConcatServlet & WelcomeFilter (CVE-2021-28169)
|
||||
+ 6277 Better handle exceptions thrown from session destroy listener (CVE-2021-34428)
|
||||
+ 6280 Copy ServletHolder class/instance properly during startWebapp
|
||||
|
||||
jetty-9.4.40.v20210413 - 13 April 2021
|
||||
|
|
@ -827,17 +843,15 @@ jetty-9.4.39.v20210325 - 25 March 2021
|
|||
+ 6052 Cleanup TypeUtil and ModuleLocation to allow jetty-client/hybrid to
|
||||
work on Android
|
||||
+ 6063 Allow override of hazelcast version when using module
|
||||
+ 6072 jetty server high CPU when client send data length > 17408 - Resolves
|
||||
CVE-2021-28165
|
||||
+ 6072 jetty server high CPU when client send data length > 17408 (CVE-2021-28165)
|
||||
+ 6085 Jetty keeps Sessions in use after "Duplicate valid session cookies"
|
||||
Message
|
||||
+ 6101 Normalize ambiguous URIs - Resolves CVE-2021-28164
|
||||
+ 6102 Exclude webapps directory from deployment scan - Resolves
|
||||
CVE-2021-28163
|
||||
+ 6101 Normalize ambiguous URIs (CVE-2021-28164)
|
||||
+ 6102 Exclude webapps directory from deployment scan (CVE-2021-28163)
|
||||
|
||||
jetty-9.4.38.v20210224 - 24 February 2021
|
||||
+ 4275 Path Normalization/Traversal - Context Matching
|
||||
+ 5963 Improve QuotedQualityCSV for CVE-2020-27223
|
||||
+ 5963 Improve QuotedQualityCSV (CVE-2020-27223)
|
||||
+ 5977 Cache-Control header set by a filter is override by the value from
|
||||
DefaultServlet configuration
|
||||
+ 5994 QueuedThreadPool "free" threads
|
||||
|
|
@ -854,7 +868,7 @@ jetty-9.4.37.v20210219 - 19 February 2021
|
|||
+ 5909 Cannot disable HTTP OPTIONS Method
|
||||
+ 5937 Unnecessary blocking in ResourceService
|
||||
+ 5950 Deadlock due to logging inside classloaders
|
||||
+ 5963 Improve QuotedQualityCSV - Resolves CVE-2020-27223
|
||||
+ 5963 Improve QuotedQualityCSV (CVE-2020-27223)
|
||||
+ 5973 Proxy client TLS authentication example
|
||||
+ 5977 Cache-Control header set by a filter is override by the value from
|
||||
DefaultServlet configuration
|
||||
|
|
@ -885,8 +899,7 @@ jetty-9.4.35.v20201120 - 20 November 2020
|
|||
+ 5539 StatisticsServlet output is not valid
|
||||
+ 5562 ArrayTernaryTrie consumes too much memory
|
||||
+ 5575 Add SEARCH as a known HttpMethod
|
||||
+ 5605 java.io.IOException: unconsumed input during http request parsing -
|
||||
Resolves CVE-2020-27218
|
||||
+ 5605 java.io.IOException: unconsumed input during http request parsing (CVE-2020-27218)
|
||||
+ 5633 Allow to configure HttpClient request authority
|
||||
|
||||
jetty-9.4.34.v20201102 - 02 November 2020
|
||||
|
|
@ -910,7 +923,7 @@ jetty-9.4.33.v20201020 - 20 October 2020
|
|||
produced by ForwardedHeader
|
||||
+ 5443 Request without Host header fails with NullPointerException in
|
||||
ForwardedRequestCustomizer
|
||||
+ 5451 Improve Working Directory creation - Resolves CVE-2020-27216
|
||||
+ 5451 Improve Working Directory creation (CVE-2020-27216)
|
||||
+ 5454 Request error context is not reset
|
||||
+ 5475 Update to spifly 1.3.2 and asm 9
|
||||
+ 5480 NPE from WebInfConfiguration.deconfigure during WebAppContext shutdown
|
||||
|
|
@ -1008,8 +1021,7 @@ jetty-9.4.30.v20200611 - 11 June 2020
|
|||
+ 4923 SecureRequestCustomizer.SslAttributes does not cache cert chain like
|
||||
before
|
||||
+ 4929 HttpClient: HttpCookieStore.Empty prevents sending cookies
|
||||
+ 4936 Response header overflow leads to buffer corruptions - Resolves
|
||||
CVE-2019-17638
|
||||
+ 4936 Response header overflow leads to buffer corruptions (CVE-2019-17638)
|
||||
|
||||
jetty-9.4.29.v20200521 - 21 May 2020
|
||||
+ 2188 Lock contention creating HTTP/2 streams
|
||||
|
|
@ -1146,7 +1158,7 @@ jetty-9.4.24.v20191120 - 20 November 2019
|
|||
+ 3083 The ini-template for jetty.console-capture.dir does not match the
|
||||
default value
|
||||
+ 4128 OpenIdCredetials can't decode JWT ID token
|
||||
+ 4334 Better test ErrorHandler changes - Resolves CVE-2019-17632
|
||||
+ 4334 Better test ErrorHandler changes (CVE-2019-17632)
|
||||
|
||||
jetty-9.4.23.v20191118 - 18 November 2019
|
||||
+ 1485 Add systemd service file
|
||||
|
|
@ -1381,10 +1393,8 @@ jetty-9.4.18.v20190429 - 29 April 2019
|
|||
jetty-9.4.17.v20190418 - 18 April 2019
|
||||
+ 2140 Infinispan and hazelcast changes to scavenge zombie expired sessions
|
||||
+ 3464 Split SslContextFactory into Client and Server
|
||||
+ 3549 Directory Listing on Windows reveals Resource Base path - Resolves
|
||||
CVE-2019-10246
|
||||
+ 3555 DefaultHandler Reveals Base Resource Path of each Context - Resolves
|
||||
CVE-2019-10247
|
||||
+ 3549 Directory Listing on Windows reveals Resource Base path (CVE-2019-10246)
|
||||
+ 3555 DefaultHandler Reveals Base Resource Path of each Context (CVE-2019-10247)
|
||||
|
||||
jetty-9.4.16.v20190411 - 11 April 2019
|
||||
+ 1861 Limit total bytes pooled by ByteBufferPools
|
||||
|
|
@ -1392,8 +1402,7 @@ jetty-9.4.16.v20190411 - 11 April 2019
|
|||
+ 3159 WebSocket permessage-deflate RSV1 validity check
|
||||
+ 3274 OSGi versions of java.base classes in
|
||||
org.apache.felix:org.osgi.foundation:jar conflicts with new rules on Java 9+
|
||||
+ 3319 Modernize Directory Listing: HTML5 and Sorting - Resolves
|
||||
CVE-2019-10241
|
||||
+ 3319 Modernize Directory Listing: HTML5 and Sorting (CVE-2019-10241)
|
||||
+ 3361 HandlerCollection.addHandler is lacking synchronization
|
||||
+ 3373 OutOfMemoryError: Java heap space in GZIPContentDecoder
|
||||
+ 3389 Websockets jsr356 willDecode not invoked during decoding
|
||||
|
|
@ -1466,10 +1475,8 @@ jetty-9.3.28.v20191105 - 05 November 2019
|
|||
+ 4217 SslConnection.DecryptedEnpoint.flush eternal busy loop
|
||||
|
||||
jetty-9.3.27.v20190418 - 18 April 2019
|
||||
+ 3549 Directory Listing on Windows reveals Resource Base path - Resolves
|
||||
CVE-2019-10246
|
||||
+ 3555 DefaultHandler Reveals Base Resource Path of each Context - Resolves
|
||||
CVE-2019-10247
|
||||
+ 3549 Directory Listing on Windows reveals Resource Base path (CVE-2019-10246)
|
||||
+ 3555 DefaultHandler Reveals Base Resource Path of each Context (CVE-2019-10247)
|
||||
|
||||
jetty-9.3.26.v20190403 - 03 April 2019
|
||||
+ 2954 Improve cause reporting for HttpClient failures
|
||||
|
|
@ -1477,20 +1484,17 @@ jetty-9.3.26.v20190403 - 03 April 2019
|
|||
org.apache.felix:org.osgi.foundation:jar conflicts with new rules on Java 9+
|
||||
+ 3302 Support host:port in X-Forwarded-For header in
|
||||
ForwardedRequestCustomizer
|
||||
+ 3319 Allow reverse sort for directory listed files - Resolves CVE-2019-10241
|
||||
+ 3319 Allow reverse sort for directory listed files (CVE-2019-10241)
|
||||
|
||||
jetty-9.2.29.v20191105 - 05 November 2019
|
||||
+ 4217 SslConnection.DecryptedEnpoint.flush eternal busy loop
|
||||
|
||||
jetty-9.2.28.v20190418 - 18 April 2019
|
||||
+ 3549 Directory Listing on Windows reveals Resource Base path - Resolves
|
||||
CVE-2019-10246
|
||||
+ 3555 DefaultHandler Reveals Base Resource Path of each Context - Resolves
|
||||
CVE-2019-10247
|
||||
+ 3549 Directory Listing on Windows reveals Resource Base path (CVE-2019-10246)
|
||||
+ 3555 DefaultHandler Reveals Base Resource Path of each Context (CVE-2019-10247)
|
||||
|
||||
jetty-9.2.27.v20190403 - 03 April 2019
|
||||
+ 3319 Refactored Directory Listing to modernize and avoid XSS - Resolves
|
||||
CVE-2019-10241
|
||||
+ 3319 Refactored Directory Listing to modernize and avoid XSS (CVE-2019-10241)
|
||||
|
||||
jetty-9.4.14.v20181114 - 14 November 2018
|
||||
+ 3097 Duplicated programmatic Servlet Listeners causing duplicate calls
|
||||
|
|
@ -7814,7 +7818,7 @@ jetty-7.0.1.v20091125 - 25 November 2009
|
|||
+ JETTY-1148 Reset partially read request reader
|
||||
+ COMETD-34 Support Baeyux MBean
|
||||
+ CQ-3581 jetty OSGi contribution
|
||||
+ CVE-2009-3555 Prevent SSL renegotiate for SSL vulnerability
|
||||
+ Prevent SSL renegotiate for SSL vulnerability (CVE-2009-3555)
|
||||
+ Fixed client abort asocciation
|
||||
+ Fixed XSS issue in CookieDump demo servlet.
|
||||
+ Improved start.jar usage text for properties
|
||||
|
|
@ -8883,7 +8887,7 @@ jetty-6.1.6rc0 - 03 October 2007
|
|||
+ Allow scan interval to be set after Scanner started
|
||||
+ Avoid FULL exception in window between blockForOutput and remote close
|
||||
+ Cached user agents strings in the /org/mortbay/jetty/useragents resource
|
||||
+ CVE-2007-5615 Added protection for response splitting with bad headers.
|
||||
+ Added protection for response splitting with bad headers (CVE-2007-5615)
|
||||
+ Ensure session is completed only when leaving context.
|
||||
+ Fix cached header optimization for extra characters
|
||||
+ Fix Host header for async client
|
||||
|
|
@ -9240,7 +9244,7 @@ jetty-6.1.0rc0 - 08 December 2006
|
|||
jetty-6.1.0pre3 - 22 November 2006
|
||||
+ JETTY-154 Cookies are double quotes only
|
||||
+ JETTY-180 XBean support for context deploy
|
||||
+ CVE-2006-6969 Upgraded session ID generation to use SecureRandom
|
||||
+ Upgraded session ID generation to use SecureRandom (CVE-2006-6969)
|
||||
+ Expose isResumed on Continuations
|
||||
+ fixed NIO endpoint flush. Avoid duplicate sends
|
||||
+ Refactored AJP generator
|
||||
|
|
@ -9687,7 +9691,7 @@ jetty-6.0.0Beta5
|
|||
+ Moved to SVN
|
||||
|
||||
jetty-6.0.0Beta4
|
||||
+ CVE-2006-2758 Fixed JSP visibility security issue.
|
||||
+ Fixed JSP visibility security issue (CVE-2006-2758)
|
||||
+ Improved jetty-web.xml access to org.mortbay classes.
|
||||
+ Jasper 5.5.12
|
||||
+ System property support in plugin
|
||||
|
|
@ -9798,7 +9802,7 @@ jetty-5.1.7rc0 - 06 December 2005
|
|||
+ use commons logging jar instead of api jar.
|
||||
|
||||
jetty-5.1.6 - 18 November 2005
|
||||
+ CVE-2006-2758 Fixed JSP visibility security issue.
|
||||
+ Fixed JSP visibility security issue (CVE-2006-2758)
|
||||
+ Improved jetty-web.xml access to org.mortbay classes.
|
||||
|
||||
jetty-5.1.5 - 10 November 2005
|
||||
|
|
|
|||
Loading…
Reference in New Issue