From ff8cf93efd36e2babc8f329b4a68ed58e94acd6e Mon Sep 17 00:00:00 2001 From: Chris Walker Date: Thu, 25 Feb 2021 14:56:11 -0600 Subject: [PATCH] Update Version.txt with CVEs (#6014) Adds CVEs to Version.txt --- VERSION.txt | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/VERSION.txt b/VERSION.txt index 4e7d8512a42..48ca3ac8de5 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -67,7 +67,7 @@ jetty-10.0.0 - 02 December 2020 + 5555 NPE for servlet with no mapping + 5562 ArrayTernaryTrie consumes too much memory + 5575 Add SEARCH as a known HttpMethod - + 5605 java.io.IOException: unconsumed input during http request parsing + + 5605 java.io.IOException: unconsumed input during http request parsing - Resolves CVE-2020-27218 + 5633 Allow to configure HttpClient request authority + 5679 Distro argument --list-all-modules does not work + 5680 No way to see which modules are enabled for the distro @@ -91,7 +91,7 @@ jetty-10.0.0.beta3 - 21 October 2020 + 5443 Request without Host header fails with NullPointerException in ForwardedRequestCustomizer + 5448 Request.isSecure() returns false for `https` schemes in Jetty 10 - + 5451 Improve Working Directory creation + + 5451 Improve Working Directory creation - Resolves CVE-2020-27216 + 5454 Request error context is not reset + 5475 Update to spifly 1.3.2 and asm 9 + 5480 NPE from WebInfConfiguration.deconfigure during WebAppContext shutdown @@ -136,8 +136,8 @@ jetty-9.4.35.v20201120 - 20 November 2020 + 5539 StatisticsServlet output is not valid + 5562 ArrayTernaryTrie consumes too much memory + 5575 Add SEARCH as a known HttpMethod - + 5605 CVE-2020-27218 java.io.IOException: unconsumed input during http - request parsing + + 5605 java.io.IOException: unconsumed input during http + request parsing - Resolves CVE-2020-27218 + 5633 Allow to configure HttpClient request authority jetty-9.4.34.v20201102 - 02 November 2020 @@ -161,7 +161,7 @@ jetty-9.4.33.v20201020 - 20 October 2020 produced by ForwardedHeader + 5443 Request without Host header fails with NullPointerException in ForwardedRequestCustomizer - + 5451 Improve Working Directory creation + + 5451 Improve Working Directory creation - Resolves CVE-2020-27216 + 5454 Request error context is not reset + 5475 Update to spifly 1.3.2 and asm 9 + 5480 NPE from WebInfConfiguration.deconfigure during WebAppContext shutdown @@ -394,7 +394,7 @@ jetty-9.4.30.v20200611 - 11 June 2020 + 4923 SecureRequestCustomizer.SslAttributes does not cache cert chain like before + 4929 HttpClient: HttpCookieStore.Empty prevents sending cookies - + 4936 Response header overflow leads to buffer corruptions + + 4936 Response header overflow leads to buffer corruptions - Resolves CVE-2019-17638 jetty-9.4.29.v20200521 - 21 May 2020 + 2188 Lock contention creating HTTP/2 streams @@ -531,7 +531,7 @@ jetty-9.4.24.v20191120 - 20 November 2019 + 3083 The ini-template for jetty.console-capture.dir does not match the default value + 4128 OpenIdCredetials can't decode JWT ID token - + 4334 Better test ErrorHandler changes + + 4334 Better test ErrorHandler changes - Resolves CVE-2019-17632 jetty-9.4.23.v20191118 - 18 November 2019 + 1485 Add systemd service file @@ -621,6 +621,7 @@ jetty-9.4.22.v20191022 - 22 October 2019 inclusion of sessionid jetty-9.4.21.v20190926 - 26 September 2019 + + Includes fixes for CVE-2019-9511, CVE-2019-9512, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, and CVE-2019-9518 + 97 Permanent UnavailableException thrown during servlet request handling should cause servlet destroy + 137 Support OAuth @@ -766,8 +767,8 @@ jetty-9.4.18.v20190429 - 29 April 2019 jetty-9.4.17.v20190418 - 18 April 2019 + 2140 Infinispan and hazelcast changes to scavenge zombie expired sessions + 3464 Split SslContextFactory into Client and Server - + 3549 Directory Listing on Windows reveals Resource Base path - + 3555 DefaultHandler Reveals Base Resource Path of each Context + + 3549 Directory Listing on Windows reveals Resource Base path - Resolves CVE-2019-10246 + + 3555 DefaultHandler Reveals Base Resource Path of each Context - Resolves CVE-2019-10247 jetty-9.4.16.v20190411 - 11 April 2019 + 1861 Limit total bytes pooled by ByteBufferPools @@ -775,7 +776,7 @@ jetty-9.4.16.v20190411 - 11 April 2019 + 3159 WebSocket permessage-deflate RSV1 validity check + 3274 OSGi versions of java.base classes in org.apache.felix:org.osgi.foundation:jar conflicts with new rules on Java 9+ - + 3319 Modernize Directory Listing: HTML5 and Sorting + + 3319 Modernize Directory Listing: HTML5 and Sorting - Resolves CVE-2019-10241 + 3361 HandlerCollection.addHandler is lacking synchronization + 3373 OutOfMemoryError: Java heap space in GZIPContentDecoder + 3389 Websockets jsr356 willDecode not invoked during decoding @@ -848,8 +849,8 @@ jetty-9.3.28.v20191105 - 05 November 2019 + 4217 SslConnection.DecryptedEnpoint.flush eternal busy loop jetty-9.3.27.v20190418 - 18 April 2019 - + 3549 Directory Listing on Windows reveals Resource Base path - + 3555 DefaultHandler Reveals Base Resource Path of each Context + + 3549 Directory Listing on Windows reveals Resource Base path - Resolves CVE-2019-10246 + + 3555 DefaultHandler Reveals Base Resource Path of each Context - Resolves CVE-2019-10247 jetty-9.3.26.v20190403 - 03 April 2019 + 2954 Improve cause reporting for HttpClient failures @@ -857,17 +858,17 @@ jetty-9.3.26.v20190403 - 03 April 2019 org.apache.felix:org.osgi.foundation:jar conflicts with new rules on Java 9+ + 3302 Support host:port in X-Forwarded-For header in ForwardedRequestCustomizer - + 3319 Allow reverse sort for directory listed files + + 3319 Allow reverse sort for directory listed files - Resolves CVE-2019-10241 jetty-9.2.29.v20191105 - 05 November 2019 + 4217 SslConnection.DecryptedEnpoint.flush eternal busy loop jetty-9.2.28.v20190418 - 18 April 2019 - + 3549 Directory Listing on Windows reveals Resource Base path - + 3555 DefaultHandler Reveals Base Resource Path of each Context + + 3549 Directory Listing on Windows reveals Resource Base path - Resolves CVE-2019-10246 + + 3555 DefaultHandler Reveals Base Resource Path of each Context - Resolves CVE-2019-10247 jetty-9.2.27.v20190403 - 03 April 2019 - + 3319 Refactored Directory Listing to modernize and avoid XSS + + 3319 Refactored Directory Listing to modernize and avoid XSS - Resolves CVE-2019-10241 jetty-9.4.14.v20181114 - 14 November 2018 + 3097 Duplicated programmatic Servlet Listeners causing duplicate calls