Add support for Jetty 12 to address CVE-2024-6763
#235
Comments
kevin-lee
added a commit
to kevin-lee/http4s-jetty
that referenced
this issue
Nov 13, 2024
- Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority). - The current version of http4s-jetty uses Jetty 10. - Community support for Jetty 10 and Jetty 11 ended in January 2024. - To solve the issue, http4s-jetty should use Jetty 12, the current stable version. - Jetty 12 requires Java 17, so dropping support for Java 11 is necessary. - Jetty has multiple versions supporting different versions of Jakarta EE (Java EE). However, for the first version supporting Jetty 12, it is better to support only Jakarta EE 8 to minimize changes, as the API namespace moved from javax to jakarta starting with Jakarta EE 9.
kevin-lee
added a commit
to kevin-lee/http4s-jetty
that referenced
this issue
Nov 13, 2024
- Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority). - The current version of http4s-jetty uses Jetty 10. - Community support for Jetty 10 and Jetty 11 ended in January 2024. - To solve the issue, http4s-jetty should use Jetty 12, the current stable version. - Jetty 12 requires Java 17, so dropping support for Java 11 is necessary. - Jetty has multiple versions supporting different versions of Jakarta EE (Java EE). However, for the first version supporting Jetty 12, it is better to support only Jakarta EE 8 to minimize changes, as the API namespace moved from javax to jakarta starting with Jakarta EE 9.
kevin-lee
added a commit
to kevin-lee/http4s-jetty
that referenced
this issue
Nov 13, 2024
- Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority). - The current version of http4s-jetty uses Jetty 10. - Community support for Jetty 10 and Jetty 11 ended in January 2024. - To solve the issue, http4s-jetty should use Jetty 12, the current stable version. - Jetty 12 requires Java 17, so dropping support for Java 11 is necessary. - Jetty has multiple versions supporting different versions of Jakarta EE (Java EE). However, for the first version supporting Jetty 12, it is better to support only Jakarta EE 8 to minimize changes, as the API namespace moved from javax to jakarta starting with Jakarta EE 9.
kevin-lee
changed the title
12 to address CVE-2024-6763
kevin-lee
added a commit
to kevin-lee/http4s-jetty
that referenced
this issue
Nov 13, 2024
- Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority). - The current version of http4s-jetty uses Jetty 10. - Community support for Jetty 10 and Jetty 11 ended in January 2024. - To solve the issue, http4s-jetty should use Jetty 12, the current stable version. - Jetty 12 requires Java 17, so dropping support for Java 11 is necessary. - Jetty has multiple versions supporting different versions of Jakarta EE (Java EE). However, for the first version supporting Jetty 12, it is better to support only Jakarta EE 8 to minimize changes, as the API namespace moved from `javax` to `jakarta` starting with Jakarta EE 9.
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add support for Jetty
12to addressCVE-2024-6763Why?
7.0.0up to12.0.11are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority).http4s-jettyuses Jetty10.http4s-jettyshould use Jetty12, the current stable version.Any Other Things to Know?
12requires Java17, so dropping support for Java11is necessary.12, it is better to support only Jakarta EE8to minimize changes, as the API namespace moved fromjavaxtojakartastarting with Jakarta EE9.NOTE:
I've done it for http4s 0.22 (http4s/http4s#7579), and I'm working on it for
http4s-jettynow.The text was updated successfully, but these errors were encountered: