Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

http4s 0.22: Add support for Jetty 12 to address CVE-2024-6763 #7578

Open
kevin-lee opened this issue Nov 12, 2024 · 0 comments
Open

http4s 0.22: Add support for Jetty 12 to address CVE-2024-6763 #7578

kevin-lee opened this issue Nov 12, 2024 · 0 comments

Comments

@kevin-lee
Copy link
Contributor

kevin-lee commented Nov 12, 2024
edited
Loading

http4s 0.22: Add support for Jetty 12 to address CVE-2024-6763

Why?

Why Not Update http4s 0.23?

Any Other Things to Know?

  • Jetty 12 requires Java 17, so dropping support for Java 8 and 11 is necessary.
  • Jetty has multiple versions supporting different versions of Jakarta EE (Java EE), but I only added support for Jakarta EE 8 to minimize changes, as the API namespace moved from javax to jakarta starting with Jakarta EE 9.

NOTE:

I've been working on it, and it seems to be working. I will do the same for http4s-jetty as well.
kevin-lee added a commit to kevin-lee/http4s that referenced this issue Nov 12, 2024
@kevin-lee
Close http4s#7578: http4s 0.22: Support Jetty 12
8d09598 
- Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority).
- http4s 0.22's http4s-jetty uses Jetty 9.
- Jetty 9's community support ended in June 2022.
- Community support for Jetty 10 and Jetty 11 ended in January 2024.
- To solve the issue, http4s should use Jetty 12, the current stable version.
- Updating the 0.22 version is for those who cannot use 0.23 as they are inextricably bound to cats-effect 2.
- Jetty 12 requires Java 17, so dropping support for Java 8 and 11 is necessary.
- Jetty has multiple versions supporting different versions of Jakarta EE (Java EE), but support for only Jakarta EE 8 is added to minimize changes, as the API namespace moved from javax to jakarta starting with Jakarta EE 9.
@kevin-lee kevin-lee mentioned this issue Nov 12, 2024
Open
kevin-lee added a commit to kevin-lee/http4s that referenced this issue Nov 12, 2024
@kevin-lee
Close http4s#7578: http4s 0.22: Support Jetty 12
91b2ad7 
- Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority).
- http4s 0.22's http4s-jetty uses Jetty 9.
- Jetty 9's community support ended in June 2022.
- Community support for Jetty 10 and Jetty 11 ended in January 2024.
- To solve the issue, http4s should use Jetty 12, the current stable version.
- Updating the 0.22 version is for those who cannot use 0.23 as they are inextricably bound to cats-effect 2.
- Jetty 12 requires Java 17, so dropping support for Java 8 and 11 is necessary.
- Jetty has multiple versions supporting different versions of Jakarta EE (Java EE), but support for only Jakarta EE 8 is added to minimize changes, as the API namespace moved from javax to jakarta starting with Jakarta EE 9.
kevin-lee added a commit to kevin-lee/http4s that referenced this issue Nov 12, 2024
@kevin-lee
Close http4s#7578: http4s 0.22: Support Jetty 12
33ce9a3 
- Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority).
- http4s 0.22's http4s-jetty uses Jetty 9.
- Jetty 9's community support ended in June 2022.
- Community support for Jetty 10 and Jetty 11 ended in January 2024.
- To solve the issue, http4s should use Jetty 12, the current stable version.
- Updating the 0.22 version is for those who cannot use 0.23 as they are inextricably bound to cats-effect 2.
- Jetty 12 requires Java 17, so dropping support for Java 8 and 11 is necessary.
- Jetty has multiple versions supporting different versions of Jakarta EE (Java EE), but support for only Jakarta EE 8 is added to minimize changes, as the API namespace moved from javax to jakarta starting with Jakarta EE 9.
@kevin-lee kevin-lee changed the title http4s 0.22: Support Jetty 12 http4s 0.22: Add support for Jetty 12 to address CVE-2024-6763 Nov 13, 2024
kevin-lee added a commit to kevin-lee/http4s that referenced this issue Nov 13, 2024
@kevin-lee
Close http4s#7578: http4s 0.22: Add support for Jetty 12 to addre…
206099a 
…ss `CVE-2024-6763`

- Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority).
- http4s 0.22's http4s-jetty uses Jetty 9.
- Jetty 9's community support ended in June 2022.
- Community support for Jetty 10 and Jetty 11 ended in January 2024.
- To solve the issue, http4s should use Jetty 12, the current stable version.
- Updating the 0.22 version is for those who cannot use 0.23 as they are inextricably bound to cats-effect 2.
- Jetty 12 requires Java 17, so dropping support for Java 8 and 11 is necessary.
- Jetty has multiple versions supporting different versions of Jakarta EE (Java EE), but support for only Jakarta EE 8 is added to minimize changes, as the API namespace moved from `javax` to `jakarta` starting with Jakarta EE 9.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kevin-lee