9.4.52.v20230823
·
245 commits
to jetty-9.4.x
since this release
Sponsored Release
This is a release of the End of Community Support Jetty 9.x series that was sponsored by a support contract from Webtide.com
Security Updates
This release addresses:
- GHSA-58qw-p7qm-5rvh - provides a workaround for direct users of XmlParser
- CVE-2023-40167
- CVE-2023-36479
- CVE-2023-41900
Special Thanks to the following Eclipse Jetty community members
- @RangerRick (Benjamin Reed)
Changelog
- #10352 - Jetty accepts "+" prefixed value in Content-Length (CVE-2023-40167)
- #10337 -
SizeLimitHandlerdoes not enforce 0 responseLimit - #10169 - make sure that a ServiceLoader is retrieved before iterating (@RangerRick)
- #10066 - Allow
SAXParserFactoryorSAXParserto be configured in Jetty'sXmlParserclass - Allows for GHSA-58qw-p7qm-5rvh workaround - #9887 - Deprecate
CGIServlet (CVE-2023-36479) - #9716 - Deprecate
PushSessionCacheFilter - #9660 - OpenId Revoked authentication allows one request (CVE-2023-41900)
- #9476 - onCompleteFailure called multiple times
Contributors
RangerRick