File jetty-unixsocket.changes of Package jetty-minimal
-------------------------------------------------------------------
Mon May 26 10:30:44 UTC 2025 - Fridrich Strba <fstrba@suse.com>
- Upgrade to version 9.4.57.v20241219
* Security fixes:
+ CVE-2024-6763, bsc#1231652: the HttpURI class does
insufficient validation on the authority segment of a URI
+ CVE-2024-13009, bsc#1243271: Gzip Request Body Buffer
Corruption
* Changes:
+ #12268 - IteratingCallback may iterate too much when process()
returns Action.IDLE
+ #12648 - Backport improved handling of bad Gzip content (and
Gzip Exceptions)
+ #12532 - Backport of deprecation of UserInfo on URI (in
violation of RFC2616 spec)
-------------------------------------------------------------------
Tue Oct 15 21:27:27 UTC 2024 - Fridrich Strba <fstrba@suse.com>
- Upgrade to version 9.4.56.v20240826
* Security fixes:
+ CVE-2024-8184, bsc#1231651, ThreadLimitHandler.getRemote()
vulnerable to remote DoS attacks
* Changes:
+ #12201 backport ThreadLimitHandler improvements from Jetty 12
+ #11938 - Updating URL refs from eclipse.org/jetty and
eclipse.dev/jetty to jetty.org (including XML dtd references)
+ #10805 - Jetty response with an invalid HTTP2 packet if the
client set the hpack table size as 0
-------------------------------------------------------------------
Tue Feb 27 12:27:27 UTC 2024 - Fridrich Strba <fstrba@suse.com>
- Upgrade to version 9.4.54.v20240208
* Security fixes
+ CVE-2024-22201, bsc#1220437: HTTP/2 connection not closed
after idle timeout when TCP congested
* Other changes
+ #1256 DoSFilter leaks USER_AUTH entries
+ #11389 Strip default ports on ws/wss scheme uris too
-------------------------------------------------------------------
Thu Oct 12 15:51:00 UTC 2023 - Fridrich Strba <fstrba@suse.com>
- Upgrade to version 9.4.53.v20231009
* Fixes of 9.4.53.v20231009
+ CVE-2023-44487, bsc#1216169
+ CVE-2023-36478, bsc#1216162
+ #10679 - backport HTTP/2 rate control from Jetty 10.0.x
+ #10573 - backport hpack improvements from Jetty 10.0.x
+ #10546 - backport jetty-http Huffman encoders/decoders from
Jetty 10.0.x
* Fixes of 9.4.52.v20230823
+ #10352 - Jetty accepts "+" prefixed value in Content-Length
(CVE-2023-40167, bsc#1215417)
+ #10337 - SizeLimitHandler does not enforce 0 responseLimit
+ #10169 - make sure that a ServiceLoader is retrieved before
iterating
+ #10066 - Allow SAXParserFactory or SAXParser to be configured
in Jetty's XmlParser class - Allows for GHSA-58qw-p7qm-5rvh
workaround
+ #9887 - Deprecate CGI Servlet (CVE-2023-36479, bsc#1215415)
+ #9716 - Deprecate PushSessionCacheFilter
+ #9660 - OpenId Revoked authentication allows one request
(CVE-2023-41900, bsc#1215416)
+ #9476 - onCompleteFailure called multiple times
-------------------------------------------------------------------
Sat Sep 9 14:24:30 UTC 2023 - Fridrich Strba <fstrba@suse.com>
- Reproducible builds: use SOURCE_DATE_EPOCH for timestamp
-------------------------------------------------------------------
Sun May 21 05:09:16 UTC 2023 - Fridrich Strba <fstrba@suse.com>
- Update to version 9.4.51.v20230217
* Fixes of 9.4.49.v20220914:
+ #8578 - getRequestURL can append "null" if getRequestURI is
unspecified in an authority-form request-target
+ #8493 - Review HTTP client feature setRemoveIdleDestinations
* Fixes of 9.4.50.v20221201:
+ #8774 - Added SizeLimitHandler
+ #8678 - Jetty client is not responding to GO_AWAY packet
received from (Jetty) Server and continue to send traffic on
same connection
* Fixes of 9.4.51.v20230217:
+ #9352 - Update / Fix CookieCutter
+ #9345 - Backport Multipart Fix for CVE-2023-26048, bsc#1210620
+ #9352 - Backport Cookie Parsing Fix for CVE-2023-26049,
bsc#1210621
-------------------------------------------------------------------
Fri Jul 8 15:15:05 UTC 2022 - Fridrich Strba <fstrba@suse.com>
- Upgrade to version 9.4.48.v20220622
* Fixes
+ #8184 - All suffix globs except first fail to match if path
has "." character in prefix section
+ #8145 - RegexPathSpec backport of optional group name/info
lookup if regex fails
+ #8088 - Add option to configure exitVm on ShutdownMonitor from
System properties
+ #8067 - Wall time usage in DoSFilter RateTracker results in
false positive alert
+ #8014 - Review HttpRequest URI construction (Resolves
CVE-2022-2047, bsc#1201317)
+ #7976 - Add TRANSFER_ENCODING violation for MultiPart RFC7578
parser
+ #7947 - Improved PathSpec handling for servletName & pathInfo
+ #7935 - Review HTTP/2 error handling (Resolves CVE-2022-2048,
bsc#1201316)
+ #7918 - PathMappings.asPathSpec does not allow root
ServletPathSpec
+ #7863 - Default servlet drops first accept-encoding header if
there is more than one.
+ #7858 - GZipHandler does not play nice with other handlers in
HandlerCollection
+ #7837 - Fix StatisticsHandler in the case a Handler throws
exception
+ #7809 - Jetty 9.4.x 7801 duplicate set session cookies
+ #7748 - Allow overriding of url-pattern mapping in
ServletContextHandler to allow for regex or uri-template
matching
-------------------------------------------------------------------
Tue Mar 29 14:13:33 UTC 2022 - Fridrich Strba <fstrba@suse.com>
- Upgrade to version 9.4.46.v20220328
* Changes
+ Option --write-module-graph produces wrong .dot file
+ ArrayTrie getBest fails to match the empty string entry in
certain cases
+ Interrupt flag is not always cleared in between requests
+ Gzip compression not working for multipart/form-data when
added to the allowed list using addIncludedMimeTypes.
+ Miconfigured headerCacheSize in can result in
IllegalArgumentException
+ HttpServletResponse.encodeURL not working for URLs starting
with ../
-------------------------------------------------------------------
Tue Mar 22 15:49:28 UTC 2022 - Fridrich Strba <fstrba@suse.com>
- Build with java source and target levels 8
- Fix javadoc generation on JDK >= 13
-------------------------------------------------------------------
Tue Oct 19 07:13:12 UTC 2021 - Fridrich Strba <fstrba@suse.com>
- Make importing of package sun.misc optional since not all jdk
versions export it
-------------------------------------------------------------------
Mon Jul 19 10:11:08 UTC 2021 - Fridrich Strba <fstrba@suse.com>
- Splitting jetty-unixsocket 9.4.43.v20210629 into a separate spec
file
