ZOOKEEPER-4023: dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218 #1552
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…02 - CVE-2020-27218 Bump jetty.version to 9.4.35.v20201120. The [release notes](https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.35.v20201120) mention [issues 5605](jetty/jetty.project#5605): > java.io.IOException: unconsumed input during http request parsing which seems to match the description of [CVE-2020-27218](http://cve.circl.lu/cve/CVE-2020-27218)
eolivelli
approved these changes
Dec 5, 2020
phunt
reviewed
Dec 5, 2020
| https://www.eclipse.org/org/documents/epl-1.0/EPL-1.0.txt | ||
| or the Apache Software License 2.0 which is available at | ||
| https://www.apache.org/licenses/LICENSE-2.0 | ||
| terms of the Eclipse Public License 2.0 which is available at |
There was a problem hiding this comment.
It looks like jetty-client is no longer used - perhaps you can remove as part of this commit?
You can double check - take a look at the binary artifact, this jar is not included. thx.
There was a problem hiding this comment.
@phunt: This patch is for master, which still pulls jetty-client; I have noted that it should not be included in branch-3.5.
@eolivelli: Yes, will do so. And branch-3.6, too, as it does not cherry-pick clean.
There was a problem hiding this comment.
(@phunt: In case you were suggesting to remove jetty-client from the POM in master, that would break ZOOKEEPER-3948: Introduce a deterministic runtime behavior injection framework for ZooKeeperServer testing.)
|
And here are the sister PRs: |
|
Looks like some jenkins issue: |
|
sg - +1 Thanks! |
I think we have enough approvals, and have had enough time to ponder the changes in these three PRs :) Should I just merge them? @eolivelli, WDYT? |
|
Yes go head please |
|
Merged in |
RokLenarcic
pushed a commit
to RokLenarcic/zookeeper
that referenced
this pull request
Aug 31, 2022
…02 - CVE-2020-27218 Bump jetty.version to 9.4.35.v20201120. The [release notes](https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.35.v20201120) mention [issue 5605](jetty/jetty.project#5605): > java.io.IOException: unconsumed input during http request parsing which seems to match the description of [CVE-2020-27218](http://cve.circl.lu/cve/CVE-2020-27218) Author: Damien Diederen <dd@crosstwine.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Norbert Kalmar <nkalmar@apache.org>, Andor Molnar <anmolnar@apache.org>, Patrick D. Hunt <phunt@apache.org> Closes apache#1552 from ztzg/jetty-upgrade-CVE-2020-27218
RokLenarcic
pushed a commit
to RokLenarcic/zookeeper
that referenced
this pull request
Aug 31, 2022
…02 - CVE-2020-27218 Bump jetty.version to 9.4.35.v20201120. The [release notes](https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.35.v20201120) mention [issue 5605](jetty/jetty.project#5605): > java.io.IOException: unconsumed input during http request parsing which seems to match the description of [CVE-2020-27218](http://cve.circl.lu/cve/CVE-2020-27218) Author: Damien Diederen <dd@crosstwine.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Norbert Kalmar <nkalmar@apache.org>, Andor Molnar <anmolnar@apache.org>, Patrick D. Hunt <phunt@apache.org> Closes apache#1552 from ztzg/jetty-upgrade-CVE-2020-27218
RokLenarcic
pushed a commit
to RokLenarcic/zookeeper
that referenced
this pull request
Aug 31, 2022
…02 - CVE-2020-27218 Bump jetty.version to 9.4.35.v20201120. The [release notes](https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.35.v20201120) mention [issue 5605](jetty/jetty.project#5605): > java.io.IOException: unconsumed input during http request parsing which seems to match the description of [CVE-2020-27218](http://cve.circl.lu/cve/CVE-2020-27218) Author: Damien Diederen <dd@crosstwine.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Norbert Kalmar <nkalmar@apache.org>, Andor Molnar <anmolnar@apache.org>, Patrick D. Hunt <phunt@apache.org> Closes apache#1552 from ztzg/jetty-upgrade-CVE-2020-27218
RokLenarcic
pushed a commit
to RokLenarcic/zookeeper
that referenced
this pull request
Sep 3, 2022
…02 - CVE-2020-27218 Bump jetty.version to 9.4.35.v20201120. The [release notes](https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.35.v20201120) mention [issue 5605](jetty/jetty.project#5605): > java.io.IOException: unconsumed input during http request parsing which seems to match the description of [CVE-2020-27218](http://cve.circl.lu/cve/CVE-2020-27218) Author: Damien Diederen <dd@crosstwine.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Norbert Kalmar <nkalmar@apache.org>, Andor Molnar <anmolnar@apache.org>, Patrick D. Hunt <phunt@apache.org> Closes apache#1552 from ztzg/jetty-upgrade-CVE-2020-27218
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bump jetty.version to 9.4.35.v20201120.
The release notes
mention issue 5605:
which seems to match the description of
CVE-2020-27218