From 96d4d455417c9b672188f4ee7ffb8d685c566ed1 Mon Sep 17 00:00:00 2001 From: Joakim Erdfelt Date: Thu, 14 Sep 2023 14:26:02 -0500 Subject: [PATCH 1/2] Fixing CVE number for CGI servlet deprecation --- VERSION.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/VERSION.txt b/VERSION.txt index 526f8c0bd63..330dc9e81b5 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -26,7 +26,7 @@ jetty-10.0.16 - 25 August 2023 + 9772 Improve Quiche certificates deployment + 9777 CrossOriginFilter does not return Vary header on no-cors mode + 9795 http3-server is leaking the Jetty logging service to web applications - + 9887 Deprecate CGI Servlet (CVE-2023-40167) + + 9887 Deprecate CGI Servlet (CVE-2023-36479) + 9895 A MessageTooLargeException doesn't close a WebSocket connection + 9947 Cannot invoke "org.eclipse.jetty.io.ManagedSelector.getTotalKeys()" because "selector" is null @@ -55,7 +55,7 @@ jetty-10.0.16 - 25 August 2023 jetty-9.4.52.v20230823 - 23 August 2023 + 9476 onCompleteFailure called multiple times + 9660 OpenId Revoked authentication allows one request (CVE-2023-41900) - + 9887 Deprecate CGI Servlet (CVE-2023-40167) + + 9887 Deprecate CGI Servlet (CVE-2023-36479) + 10066 Allow `SAXParserFactory` or `SAXParser` to be configured in Jetty's `XmlParser` class + 10168 NPE in websocket extension startup From 000a55f78f2302a1b6e98c20b102427102f62bff Mon Sep 17 00:00:00 2001 From: Olivier Lamy Date: Fri, 15 Sep 2023 10:16:41 +1000 Subject: [PATCH 2/2] upgrade to bouncycastle 1.76 (#10512) * upgrade to bouncycastle 1.76 Signed-off-by: Olivier Lamy * fix artifact names Signed-off-by: Olivier Lamy --------- Signed-off-by: Olivier Lamy --- jetty-keystore/pom.xml | 8 ++++---- .../src/main/config/modules/test-keystore.mod | 12 ++++++------ 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/jetty-keystore/pom.xml b/jetty-keystore/pom.xml index 222536cabdb..4e90ee52237 100644 --- a/jetty-keystore/pom.xml +++ b/jetty-keystore/pom.xml @@ -13,23 +13,23 @@ ${project.groupId}.keystore - 1.70 + 1.76 org.bouncycastle - bcpkix-jdk15on + bcpkix-jdk15to18 ${bouncycastle.version} org.bouncycastle - bcprov-jdk15on + bcprov-jdk15to18 ${bouncycastle.version} org.bouncycastle - bcutil-jdk15on + bcutil-jdk15to18 ${bouncycastle.version} diff --git a/jetty-keystore/src/main/config/modules/test-keystore.mod b/jetty-keystore/src/main/config/modules/test-keystore.mod index 954a644a635..2316e26c515 100644 --- a/jetty-keystore/src/main/config/modules/test-keystore.mod +++ b/jetty-keystore/src/main/config/modules/test-keystore.mod @@ -10,15 +10,15 @@ ssl ssl [files] -maven://org.bouncycastle/bcpkix-jdk15on/${bouncycastle.version}|lib/bouncycastle/bcpkix-jdk15on-${bouncycastle.version}.jar -maven://org.bouncycastle/bcprov-jdk15on/${bouncycastle.version}|lib/bouncycastle/bcprov-jdk15on-${bouncycastle.version}.jar -maven://org.bouncycastle/bcutil-jdk15to18/${bouncycastle.version}|lib/bouncycastle/bcutil-jdk15on-${bouncycastle.version}.jar +maven://org.bouncycastle/bcpkix-jdk15to18/${bouncycastle.version}|lib/bouncycastle/bcpkix-jdk15to18-${bouncycastle.version}.jar +maven://org.bouncycastle/bcprov-jdk15to18/${bouncycastle.version}|lib/bouncycastle/bcprov-jdk15to18-${bouncycastle.version}.jar +maven://org.bouncycastle/bcutil-jdk15to18/${bouncycastle.version}|lib/bouncycastle/bcutil-jdk15to18-${bouncycastle.version}.jar [lib] lib/jetty-keystore-${jetty.version}.jar -lib/bouncycastle/bcpkix-jdk15on-${bouncycastle.version}.jar -lib/bouncycastle/bcprov-jdk15on-${bouncycastle.version}.jar -lib/bouncycastle/bcutil-jdk15on-${bouncycastle.version}.jar +lib/bouncycastle/bcpkix-jdk15to18-${bouncycastle.version}.jar +lib/bouncycastle/bcprov-jdk15to18-${bouncycastle.version}.jar +lib/bouncycastle/bcutil-jdk15to18-${bouncycastle.version}.jar [xml] etc/jetty-test-keystore.xml