9.4.53.v20231009

Security Updates

This release addresses:

• CVE-2023-44487 - (in case github/advisory-database#2869 isn't fixed, use top level link https://nvd.nist.gov/vuln/detail/CVE-2023-44487)
• CVE-2023-36478

Sponsored Release

This is a release of the End of Community Support Jetty 9.x series that was sponsored by a support contract from Webtide.com

Changelog

• #10679 - backport HTTP/2 rate control from Jetty 10.0.x
• #10573 - backport hpack improvements from Jetty 10.0.x
• #10546 - backport jetty-http Huffman encoders/decoders from Jetty 10.0.x

11.0.17

Security Updates

This release addresses:

• CVE-2023-44487 - (in case github/advisory-database#2869 isn't fixed, use top level link https://nvd.nist.gov/vuln/detail/CVE-2023-44487)

Changelog

• #10679 - Review HTTP/2 rate control
• #10547 - Cannot customize Executor on WebSocketClient
• #10545 - Fixed deadlock in class initialization seen on JDK21.
• #10511 - Allow session idle timeout to be configured on authentication.
• #10473 - Startup Script reports ok too fast, and doesn't wait for actual start of Jetty
• #10365 - Cleanup of start properties usages

10.0.17

Security Updates

This release addresses:

• CVE-2023-44487 - (in case github/advisory-database#2869 isn't fixed, use top level link https://nvd.nist.gov/vuln/detail/CVE-2023-44487)

Changelog

• #10679 - Review HTTP/2 rate control
• #10547 - Cannot customize Executor on WebSocketClient
• #10545 - Fixed deadlock in class initialization seen on JDK21.
• #10511 - Allow session idle timeout to be configured on authentication.
• #10473 - Startup Script reports ok too fast, and doesn't wait for actual start of Jetty
• #10365 - Cleanup of start properties usages in jetty-10.0.x

12.0.1

Important Notes

• New Environment System (ee10 / ee9 / ee8)
• Supports ee10 / ee9 / ee8 at the same time (in different deployed webapps)
  • See Jetty 11 to 12 Migration Docs for help finding the new maven coordinates for EE specific artifacts.
• Jetty Core no longer has dependencies on any Jakarta EE Spec

Special Thanks to the following Eclipse Jetty community members

• @zugazagoitia (Alberto Zugazagoitia)

Changelog

• #10420 - do not recycle ServletChannel if aborted
• #10416 - EE9 Copies HttpFields in response
• #10411 - Review deployment of Jetty Context XML files
• #10406 - Bump jetty-setuid to 2.0.1
• #10388 - Jetty10 inetaccess mod started error
• #10356 - Deploying WAR with ee10-cdi-spi fails with Weld 5/CDI 4
• #10349 - Character encoding is reset when setting Content-Type
• #10340 - Implement containsLast in HttpFields
• #10339 - Freeze HttpFields
• #10337 - SizeLimitHandler does not enforce 0 responseLimit
• #10330 - Jetty 12: ResourceService throws NPE when resource has no filesystem path
• #10329 - Jetty accepts "+" prefixed value in Content-Length (CVE-2023-40167)
• #10323 - Jetty 12.0.0 return wrong value for HttpServletRequest.isRequestedSessionIdValid
• #10315 - ServletInputStream::isReady results in IllegalArgumentException
• #10309 - Jetty 12: X-Powered-By header is added 2 times (if enabled)
• #10306 - Jetty 12 generates wrong Host header
• #10295 - FormAuthenticator does not dispatch to an error page but redirect
• #10294 - Request.getContext().getContextPath()
• #10293 - Improve documentation on how to write a response body in Jetty 12
• #10284 - Document all HttpFields methods
• #10275 - Fix wrong websocket artifact Jetty 12.x docs (@zugazagoitia)
• #10274 - java.nio.file.FileSystemNotFoundException when creating a resource from a JAR URL
• #10222 - Experiment/12/improve default servlet
• #10217 - Review ProxyConnectionFactory buffer management
• #10213 - UnknownFormatConversionException in start.jar --debug if path has % sign
• #10207 - Update failed JSP deployment message
• #10163 - Allow better configuration of WebAppContext classloader
• #10064 - Various Cleanup in ServletChannel
• #9900 - Improve Request.getBeginNanoTime() accuracy
• #9169 - Idle timeout is ignored if callback is not completed

11.0.16

Security Updates

This release addresses:

• GHSA-58qw-p7qm-5rvh - provides a workaround for direct users of XmlParser
• CVE-2023-40167
• CVE-2023-36478
• CVE-2023-36479
• CVE-2023-41900

Special Thanks to the following Eclipse Jetty community members

• @strogiyotec (Almas Abdrazak)
• @huisongma (huisongma)
• @garydgregory (Gary Gregory)

Changelog

• #10397 - Iso88591StringBuilder.append seems to have a logic error
• #10388 - Jetty10 inetaccess mod started error
• #10352 - Jetty accepts "+" prefixed value in Content-Length (CVE-2023-40167)
• #10329 - Various cleanups in HttpParser
• #10271 - jetty.sh does not stop jetty anymore
• #10211 - NPE in ArrayByteBufferPool.findOldestEntry()
• #10176 - cleanups of DateCache
• #10160 - Verify PROXY_AUTHENTICATION is sent to forward proxies
• #10145 - WritePendingException over HTTP/2 tunnel
• #10143 - Startup fails due to IllegalArgumentException: Comparison method violates its general contract
• #10135 - Websocket: Using PerMessageDeflateExtension and flush in batchMode send FLUSH_FRAME to client.
• #10105 - Document that Request objects are not reusable
• #10086 - Revisiting ProxyConfiguration.getProxies()
• #10066 - Allow SAXParserFactory or SAXParser to be configured in Jetty's XmlParser class - Allows for GHSA-58qw-p7qm-5rvh workaround
• #9997 - No progress during Gzip Request Inflation results in bogus error
• #9947 - Cannot invoke "org.eclipse.jetty.io.ManagedSelector.getTotalKeys()" because "selector" is null (@strogiyotec)
• #9938 - Bulletproof AbstractProxyServlet#destory() to make it easier to write (@garydgregory)
• #9895 - A MessageTooLargeException doesn't close a WebSocket connection
• #9887 - Deprecate CGI Servlet (CVE-2023-36479)
• #9798 - review and cleanup of HTTP/3 QPACK Integer and String encoding
• #9777 - CrossOriginFilter does not return Vary header on no-cors mode
• #9761 - H3: Fix racy read from stream-less channel
• #9749 - HTTP/2 improvements.
• #9741 - Review of websocket parser, improve testing & comments.
• #9728 - Fixes to QPACK configuration from SETTINGS frames.
• #9715 - deprecate PushSessionCacheFilter
• #9685 - Jetty doesn't set the date header on error responses
• #9682 - RetainableByteBuffer buffer release bug in WebSocket
• #9554 - Move (qpack/hpack) HuffmanDecoder / HuffmanEncoder / NBitInteger* to common location
• #9476 - onCompleteFailure called multiple times
• #8926 - HttpClient GZIPContentDecoder should remove Content-Length and Content-Encoding: gzip
• #8556 - ServletContext.getSessionTimeout() incorrectly throws IllegalStateException
• #8405 - Servlet 3.1 ReadListener.onAllDataRead() is called twice under h2 or h2c if the server doesn't respond within 30s
• #7091 - Add SOCKS5 support (@huisongma)

10.0.16

Security Updates

This release addresses:

• GHSA-58qw-p7qm-5rvh - provides a workaround for direct users of XmlParser
• CVE-2023-40167
• CVE-2023-36478
• CVE-2023-36479
• CVE-2023-41900

Special Thanks to the following Eclipse Jetty community members

• @strogiyotec (Almas Abdrazak)
• @huisongma (huisongma)
• @garydgregory (Gary Gregory)

Changelog

• #10397 - Iso88591StringBuilder.append seems to have a logic error
• #10388 - Jetty10 inetaccess mod started error
• #10352 - Jetty accepts "+" prefixed value in Content-Length (CVE-2023-40167)
• #10329 - Various cleanups in HttpParser
• #10271 - jetty.sh does not stop jetty anymore
• #10211 - NPE in ArrayByteBufferPool.findOldestEntry()
• #10176 - cleanups of DateCache
• #10160 - Verify PROXY_AUTHENTICATION is sent to forward proxies
• #10145 - WritePendingException over HTTP/2 tunnel
• #10143 - Startup fails due to IllegalArgumentException: Comparison method violates its general contract
• #10135 - Websocket: Using PerMessageDeflateExtension and flush in batchMode send FLUSH_FRAME to client.
• #10105 - Document that Request objects are not reusable
• #10086 - Revisiting ProxyConfiguration.getProxies()
• #10066 - Allow SAXParserFactory or SAXParser to be configured in Jetty's XmlParser class - Allows for GHSA-58qw-p7qm-5rvh workaround
• #9997 - No progress during Gzip Request Inflation results in bogus error
• #9947 - Cannot invoke "org.eclipse.jetty.io.ManagedSelector.getTotalKeys()" because "selector" is null (@strogiyotec)
• #9938 - Bulletproof AbstractProxyServlet#destory() to make it easier to write (@garydgregory)
• #9895 - A MessageTooLargeException doesn't close a WebSocket connection
• #9887 - Deprecate CGI Servlet (CVE-2023-36479)
• #9798 - review and cleanup of HTTP/3 QPACK Integer and String encoding
• #9777 - CrossOriginFilter does not return Vary header on no-cors mode
• #9761 - H3: Fix racy read from stream-less channel
• #9749 - HTTP/2 improvements.
• #9741 - Review of websocket parser, improve testing & comments.
• #9728 - Fixes to QPACK configuration from SETTINGS frames.
• #9715 - deprecate PushSessionCacheFilter
• #9685 - Jetty doesn't set the date header on error responses
• #9682 - RetainableByteBuffer buffer release bug in WebSocket
• #9554 - Move (qpack/hpack) HuffmanDecoder / HuffmanEncoder / NBitInteger* to common location
• #9476 - onCompleteFailure called multiple times
• #8926 - HttpClient GZIPContentDecoder should remove Content-Length and Content-Encoding: gzip
• #8556 - ServletContext.getSessionTimeout() incorrectly throws IllegalStateException
• #8405 - Servlet 3.1 ReadListener.onAllDataRead() is called twice under h2 or h2c if the server doesn't respond within 30s
• #7091 - Add SOCKS5 support (@huisongma)

9.4.52.v20230823

Sponsored Release

This is a release of the End of Community Support Jetty 9.x series that was sponsored by a support contract from Webtide.com

Security Updates

This release addresses:

• GHSA-58qw-p7qm-5rvh - provides a workaround for direct users of XmlParser
• CVE-2023-40167
• CVE-2023-36479
• CVE-2023-41900

Special Thanks to the following Eclipse Jetty community members

• @RangerRick (Benjamin Reed)

Changelog

• #10352 - Jetty accepts "+" prefixed value in Content-Length (CVE-2023-40167)
• #10337 - SizeLimitHandler does not enforce 0 responseLimit
• #10169 - make sure that a ServiceLoader is retrieved before iterating (@RangerRick)
• #10066 - Allow SAXParserFactory or SAXParser to be configured in Jetty's XmlParser class - Allows for GHSA-58qw-p7qm-5rvh workaround
• #9887 - Deprecate CGI Servlet (CVE-2023-36479)
• #9716 - Deprecate PushSessionCacheFilter
• #9660 - OpenId Revoked authentication allows one request (CVE-2023-41900)
• #9476 - onCompleteFailure called multiple times

12.0.0

Important Notes

• New Environment System (ee10 / ee9 / ee8)
• Supports ee10 / ee9 / ee8 at the same time (in different deployed webapps)
  • See Jetty 11 to 12 Migration Docs for help finding the new maven coordinates for EE specific artifacts.
• Jetty Core no longer has dependencies on any Jakarta EE Spec

Security Updates

• This release provides a workaround for Security Advisory GHSA-58qw-p7qm-5rvh

Special Thanks to the following Eclipse Jetty community members

@kohlschuetter (Christian Kohlschütter)
@gregpoulos (Greg Poulos)

Changelog

• #10231 - DefaultServlet no longer supports POST and OPTIONS and returns a 405 instead
• #10229 - HttpConfiguration.setIdleTimeout() breaks long running requests
• #10227 - EE10 Unable to use Cookie attributes with HttpServletResponse.addCookie(jakarta.servlet.http.Cookie)
• #10205 - fixes for jetty 12 ee8 websocket demos
• #10178 - Fix demo-spec webapp failures
• #10066 - Allow SAXParserFactory or SAXParser to be configured in Jetty's XmlParser class - Allows for GHSA-58qw-p7qm-5rvh workaround
• #10165 - rename JAVAX_API to JAKARTA_API in ee9 and ee10 Source
• #10155 - EE10 Servlet include after HttpServletResponse.getWriter().println() omits Content-Length from the response
• #10135 - Websocket: Using PerMessageDeflateExtension and flush in batchMode send FLUSH_FRAME to client.

12.0.0.beta4

Changelog

• #10144 - Common code and documentation for dispatched query parameters
• #10141 - welcome-file ignored on jetty12ee10 on exploded deploy, works on ee9 and older jettys.
• #10139 - DefaultServlet not working with named dispatch in Jetty-12 EE10.
• #10134 - Server.stop() and WebInfConfiguration.deconfigure() can throw a ClosedFileSystemException when restoring the original base resource
• #10131 - Review ERROR query-string handling
• #10102 - Fixes delivery of events to Response.CompleteListeners.
• #10090 - Improved start.jar dry-run command line quoting
• #10084 - ServletApiContext.getResourcePaths() doesn't respect the spec
• #10082 - Various cleanups of StringUtil and TypeUtil
• #10081 - Fix replacement logic for Configuration lists
• #10071 - add SizeLimitHandler to Jetty-12
• #10068 - Jetty 12: instantiation of HashLoginService
• #10061 - Simplified URLResource cleaner
• #9444 - Unexpected encoding in request.getPathInfo() with Jetty 12 beta0

12.0.0.beta3

Changelog

• #9988 - Add constructors accepting the handler to wrap to all core handler wrappers
• #9984 - URLResource.isDirectory() throws a NullPointerException when created from a jar:file: URL
• #9983 - Implement quality lists for Locales
• #9975 - Experiment with a fully async ContentSourceCompletableFuture
• #9973 - Creating a Resource for an entry in a nested jar file in Jetty 12
• #9972 - getResourcePaths fails when a META-INF resource has reserved characters in its filename
• #9966 - NullPointerException with default servlet, include and welcome pages
• #9965 - prevent multiple websocket frames from being demanded in Jetty-12
• #9960 - Custom logging in Jetty 12 beta2 can fail due to NullPointerException in org.eclipse.jetty.server.Request
• #9955 - Jetty 12.0 beta 2 HttpServletResponse::getStatus returns 0 by default
• #9953 - Jetty 12.0 Handle HEAD requests in Handler
• #9946 - Handler passed to Handler in constructor a parent or child?
• #9944 - Remove integer for demand in websocket in Jetty-12
• #9934 - Fix ee10 path info only (alternative)
• #9927 - Jetty 12 inserted handler in ee10 servlet context
• #9925 - Bring back Jetty <12 flexibility of "current context / context handler"
• #9920 - Remove ee10 HttpChannel.Listener
• #9919 - Jetty-12 creates two instances of ArrayByteBufferPool
• #9904 - Experiment/jetty 12 chunk isError and warnings
• #9878 - Fixes and extra testing for EE9 ContextHandler class loading
• #9396 - Improve JPMS testing for websocket in Jetty 12

Dependencies

• #9924 - Upgrade of dependencies: slf4j 2.0.7, and some 3rd parties dependencies used for testing