Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

http4s 0.22: Add support for Jetty 12 to address CVE-2024-6763 #7578

Open
kevin-lee opened this issue Nov 12, 2024 · 2 comments
Open

http4s 0.22: Add support for Jetty 12 to address CVE-2024-6763 #7578

kevin-lee opened this issue Nov 12, 2024 · 2 comments

Comments

@kevin-lee
Copy link
Contributor

kevin-lee commented Nov 12, 2024
edited
Loading

http4s 0.22: Add support for Jetty 12 to address CVE-2024-6763

Why?

Why Not Update http4s 0.23?

Any Other Things to Know?

  • Jetty 12 requires Java 17, so dropping support for Java 8 and 11 is necessary.
  • Jetty has multiple versions supporting different versions of Jakarta EE (Java EE), but I only added support for Jakarta EE 8 to minimize changes, as the API namespace moved from javax to jakarta starting with Jakarta EE 9.

NOTE:

I've been working on it, and it seems to be working. I will do the same for http4s-jetty as well.
kevin-lee added a commit to kevin-lee/http4s that referenced this issue Nov 12, 2024
@kevin-lee
Close http4s#7578: http4s 0.22: Support Jetty 12
8d09598 
- Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority).
- http4s 0.22's http4s-jetty uses Jetty 9.
- Jetty 9's community support ended in June 2022.
- Community support for Jetty 10 and Jetty 11 ended in January 2024.
- To solve the issue, http4s should use Jetty 12, the current stable version.
- Updating the 0.22 version is for those who cannot use 0.23 as they are inextricably bound to cats-effect 2.
- Jetty 12 requires Java 17, so dropping support for Java 8 and 11 is necessary.
- Jetty has multiple versions supporting different versions of Jakarta EE (Java EE), but support for only Jakarta EE 8 is added to minimize changes, as the API namespace moved from javax to jakarta starting with Jakarta EE 9.
@kevin-lee kevin-lee mentioned this issue Nov 12, 2024
Open
kevin-lee added a commit to kevin-lee/http4s that referenced this issue Nov 12, 2024
@kevin-lee
Close http4s#7578: http4s 0.22: Support Jetty 12
91b2ad7 
- Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority).
- http4s 0.22's http4s-jetty uses Jetty 9.
- Jetty 9's community support ended in June 2022.
- Community support for Jetty 10 and Jetty 11 ended in January 2024.
- To solve the issue, http4s should use Jetty 12, the current stable version.
- Updating the 0.22 version is for those who cannot use 0.23 as they are inextricably bound to cats-effect 2.
- Jetty 12 requires Java 17, so dropping support for Java 8 and 11 is necessary.
- Jetty has multiple versions supporting different versions of Jakarta EE (Java EE), but support for only Jakarta EE 8 is added to minimize changes, as the API namespace moved from javax to jakarta starting with Jakarta EE 9.
kevin-lee added a commit to kevin-lee/http4s that referenced this issue Nov 12, 2024
@kevin-lee
Close http4s#7578: http4s 0.22: Support Jetty 12
33ce9a3 
- Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority).
- http4s 0.22's http4s-jetty uses Jetty 9.
- Jetty 9's community support ended in June 2022.
- Community support for Jetty 10 and Jetty 11 ended in January 2024.
- To solve the issue, http4s should use Jetty 12, the current stable version.
- Updating the 0.22 version is for those who cannot use 0.23 as they are inextricably bound to cats-effect 2.
- Jetty 12 requires Java 17, so dropping support for Java 8 and 11 is necessary.
- Jetty has multiple versions supporting different versions of Jakarta EE (Java EE), but support for only Jakarta EE 8 is added to minimize changes, as the API namespace moved from javax to jakarta starting with Jakarta EE 9.
@kevin-lee kevin-lee changed the title http4s 0.22: Support Jetty 12 http4s 0.22: Add support for Jetty 12 to address CVE-2024-6763 Nov 13, 2024
kevin-lee added a commit to kevin-lee/http4s that referenced this issue Nov 13, 2024
@kevin-lee
Close http4s#7578: http4s 0.22: Add support for Jetty 12 to addre…
206099a 
…ss `CVE-2024-6763`

- Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority).
- http4s 0.22's http4s-jetty uses Jetty 9.
- Jetty 9's community support ended in June 2022.
- Community support for Jetty 10 and Jetty 11 ended in January 2024.
- To solve the issue, http4s should use Jetty 12, the current stable version.
- Updating the 0.22 version is for those who cannot use 0.23 as they are inextricably bound to cats-effect 2.
- Jetty 12 requires Java 17, so dropping support for Java 8 and 11 is necessary.
- Jetty has multiple versions supporting different versions of Jakarta EE (Java EE), but support for only Jakarta EE 8 is added to minimize changes, as the API namespace moved from `javax` to `jakarta` starting with Jakarta EE 9.
@arixmkii
Copy link
Contributor

Http4s 0.22 is EOL #6334

@kevin-lee
Copy link
Contributor Author

@arixmkii I understand that and explained the reason why I created this ticket above. Because it's EOL, I also provided the PR (#7579) to fix it.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kevin-lee @arixmkii