9.4.52.v20230823
joakime
released this
28 Aug 16:42
·
253 commits
to jetty-9.4.x
since this release
Sponsored Release
This is a release of the End of Community Support Jetty 9.x series that was sponsored by a support contract from Webtide.com
Security Updates
This release addresses:
- GHSA-58qw-p7qm-5rvh - provides a workaround for direct users of XmlParser
- CVE-2023-40167
- CVE-2023-36479
- CVE-2023-41900
Special Thanks to the following Eclipse Jetty community members
- @RangerRick (Benjamin Reed)
Changelog
- #10352 - Jetty accepts "+" prefixed value in Content-Length (CVE-2023-40167)
- #10337 -
SizeLimitHandler
does not enforce 0 responseLimit - #10169 - make sure that a ServiceLoader is retrieved before iterating (@RangerRick)
- #10066 - Allow
SAXParserFactory
orSAXParser
to be configured in Jetty'sXmlParser
class - Allows for GHSA-58qw-p7qm-5rvh workaround - #9887 - Deprecate
CGI
Servlet (CVE-2023-36479) - #9716 - Deprecate
PushSessionCacheFilter
- #9660 - OpenId Revoked authentication allows one request (CVE-2023-41900)
- #9476 - onCompleteFailure called multiple times