10.0.18

Special Thanks to the following Eclipse Jetty community members

• @OlexYarm (OlexYarm)

Changelog

• #10786 - TLS handshake failures leak HttpConnection.RequestTimeouts tasks
• #10755 - deprecate PushCacheFilter
• #10753 - Improve and test jetty.sh behaviors
• #10675 - Fixed issue 10305 Embedded Jetty server fails to start when requests path contains not existed directory (@OlexYarm)
• #10667 - Add configuration to allow deferring the initial Deployment until after Server is started
• #10390 - Jetty HTTP/3 Client fails when connecting to nghttpx server
• #1256 - DoSFilter leaks USER_AUTH entries

12.0.2

Security Updates

This release addresses:

• CVE-2023-44487 - (in case github/advisory-database#2869 isn't fixed, use top level link https://nvd.nist.gov/vuln/detail/CVE-2023-44487)

Changelog

• #10679 - Review HTTP/2 rate control
• #10672 - Changed default implementation of Session.Listener.onNewStream() and …
• #10618 - Reduced mildly expensive HttpMethod.is calls by reordering boolean logic
• #10613 - Fix incorrect call to super in BufferedResponseHandler
• #10563 - An omnibus PR for changes needed to support webfunctions
• #10558 - NPE when forwarding a request to default servlet which should redirect to a subdirectory with trailing slash
• #10553 - Reintroduce an Exception type for invalid UTF-8
• #10547 - Cannot customize Executor on WebSocketClient
• #10542 - Added WebSocket migration documentation, pointing to existing WebSock…
• #10526 - do not run this in parallel as some conflicted jdni entries with ServerWithJNDITest
• #10513 - Lockup processing POST request body with Jetty 12.0.1 using http/2
• #10508 - Jetty 12 IllegalArgumentExeption when setting a HTTP header to null
• #10502 - Introduced CompletableResponseListener
• #10500 - Jetty 12 HTTP SPI does not preserve double-quotes on valid request headers
• #10498 - NullPointerException from call to UpgradeRequest#getUserPrincipal with Jetty 12
• #10483 - Improve BufferedResponseHandler
• #10482 - RewriteHandler with multiple HeaderPatternRules
• #10479 - Fix parsing of JSESSIONID only
• #10474 - Jetty 12 default error handler throws IllegalStateException for application/json
• #10473 - Startup Script reports ok too fast, and doesn't wait for actual start of Jetty
• #10466 - Review HTTP session documentation
• #10463 - Jetty 12 throws Exception handling static files when using response wrapper
• #10442 - Reduce verbosity when JMX finds overloaded setter
• #10441 - Jetty 12 ee8 jaspi is missing
• #10440 - ClassCastException with <jettyEnvXml> use in jetty-ee10-maven-plugin
• #10361 - Introduce QoSHandler
• #10328 - Review ResourceFactory.newSystemResource(String) behavior & javadoc
• #10324 - Improve migration from Servlets to Handler
• #10219 - Review HTTP Cookie parsing
• #9665 - HttpCookieStore incorrectly rejects cookies for domains that are an IPv6 address

9.4.53.v20231009

Security Updates

This release addresses:

• CVE-2023-44487 - (in case github/advisory-database#2869 isn't fixed, use top level link https://nvd.nist.gov/vuln/detail/CVE-2023-44487)
• CVE-2023-36478

Sponsored Release

This is a release of the End of Community Support Jetty 9.x series that was sponsored by a support contract from Webtide.com

Changelog

• #10679 - backport HTTP/2 rate control from Jetty 10.0.x
• #10573 - backport hpack improvements from Jetty 10.0.x
• #10546 - backport jetty-http Huffman encoders/decoders from Jetty 10.0.x

11.0.17

Security Updates

This release addresses:

• CVE-2023-44487 - (in case github/advisory-database#2869 isn't fixed, use top level link https://nvd.nist.gov/vuln/detail/CVE-2023-44487)

Changelog

• #10679 - Review HTTP/2 rate control
• #10547 - Cannot customize Executor on WebSocketClient
• #10545 - Fixed deadlock in class initialization seen on JDK21.
• #10511 - Allow session idle timeout to be configured on authentication.
• #10473 - Startup Script reports ok too fast, and doesn't wait for actual start of Jetty
• #10365 - Cleanup of start properties usages

10.0.17

Security Updates

This release addresses:

• CVE-2023-44487 - (in case github/advisory-database#2869 isn't fixed, use top level link https://nvd.nist.gov/vuln/detail/CVE-2023-44487)

Changelog

• #10679 - Review HTTP/2 rate control
• #10547 - Cannot customize Executor on WebSocketClient
• #10545 - Fixed deadlock in class initialization seen on JDK21.
• #10511 - Allow session idle timeout to be configured on authentication.
• #10473 - Startup Script reports ok too fast, and doesn't wait for actual start of Jetty
• #10365 - Cleanup of start properties usages in jetty-10.0.x

12.0.1

Important Notes

• New Environment System (ee10 / ee9 / ee8)
• Supports ee10 / ee9 / ee8 at the same time (in different deployed webapps)
  • See Jetty 11 to 12 Migration Docs for help finding the new maven coordinates for EE specific artifacts.
• Jetty Core no longer has dependencies on any Jakarta EE Spec

Special Thanks to the following Eclipse Jetty community members

• @zugazagoitia (Alberto Zugazagoitia)

Changelog

• #10420 - do not recycle ServletChannel if aborted
• #10416 - EE9 Copies HttpFields in response
• #10411 - Review deployment of Jetty Context XML files
• #10406 - Bump jetty-setuid to 2.0.1
• #10388 - Jetty10 inetaccess mod started error
• #10356 - Deploying WAR with ee10-cdi-spi fails with Weld 5/CDI 4
• #10349 - Character encoding is reset when setting Content-Type
• #10340 - Implement containsLast in HttpFields
• #10339 - Freeze HttpFields
• #10337 - SizeLimitHandler does not enforce 0 responseLimit
• #10330 - Jetty 12: ResourceService throws NPE when resource has no filesystem path
• #10329 - Jetty accepts "+" prefixed value in Content-Length (CVE-2023-40167)
• #10323 - Jetty 12.0.0 return wrong value for HttpServletRequest.isRequestedSessionIdValid
• #10315 - ServletInputStream::isReady results in IllegalArgumentException
• #10309 - Jetty 12: X-Powered-By header is added 2 times (if enabled)
• #10306 - Jetty 12 generates wrong Host header
• #10295 - FormAuthenticator does not dispatch to an error page but redirect
• #10294 - Request.getContext().getContextPath()
• #10293 - Improve documentation on how to write a response body in Jetty 12
• #10284 - Document all HttpFields methods
• #10275 - Fix wrong websocket artifact Jetty 12.x docs (@zugazagoitia)
• #10274 - java.nio.file.FileSystemNotFoundException when creating a resource from a JAR URL
• #10222 - Experiment/12/improve default servlet
• #10217 - Review ProxyConnectionFactory buffer management
• #10213 - UnknownFormatConversionException in start.jar --debug if path has % sign
• #10207 - Update failed JSP deployment message
• #10163 - Allow better configuration of WebAppContext classloader
• #10064 - Various Cleanup in ServletChannel
• #9900 - Improve Request.getBeginNanoTime() accuracy
• #9169 - Idle timeout is ignored if callback is not completed

11.0.16

Security Updates

This release addresses:

• GHSA-58qw-p7qm-5rvh - provides a workaround for direct users of XmlParser
• CVE-2023-40167
• CVE-2023-36478
• CVE-2023-36479
• CVE-2023-41900

Special Thanks to the following Eclipse Jetty community members

• @strogiyotec (Almas Abdrazak)
• @huisongma (huisongma)
• @garydgregory (Gary Gregory)

Changelog

• #10397 - Iso88591StringBuilder.append seems to have a logic error
• #10388 - Jetty10 inetaccess mod started error
• #10352 - Jetty accepts "+" prefixed value in Content-Length (CVE-2023-40167)
• #10329 - Various cleanups in HttpParser
• #10271 - jetty.sh does not stop jetty anymore
• #10211 - NPE in ArrayByteBufferPool.findOldestEntry()
• #10176 - cleanups of DateCache
• #10160 - Verify PROXY_AUTHENTICATION is sent to forward proxies
• #10145 - WritePendingException over HTTP/2 tunnel
• #10143 - Startup fails due to IllegalArgumentException: Comparison method violates its general contract
• #10135 - Websocket: Using PerMessageDeflateExtension and flush in batchMode send FLUSH_FRAME to client.
• #10105 - Document that Request objects are not reusable
• #10086 - Revisiting ProxyConfiguration.getProxies()
• #10066 - Allow SAXParserFactory or SAXParser to be configured in Jetty's XmlParser class - Allows for GHSA-58qw-p7qm-5rvh workaround
• #9997 - No progress during Gzip Request Inflation results in bogus error
• #9947 - Cannot invoke "org.eclipse.jetty.io.ManagedSelector.getTotalKeys()" because "selector" is null (@strogiyotec)
• #9938 - Bulletproof AbstractProxyServlet#destory() to make it easier to write (@garydgregory)
• #9895 - A MessageTooLargeException doesn't close a WebSocket connection
• #9887 - Deprecate CGI Servlet (CVE-2023-36479)
• #9798 - review and cleanup of HTTP/3 QPACK Integer and String encoding
• #9777 - CrossOriginFilter does not return Vary header on no-cors mode
• #9761 - H3: Fix racy read from stream-less channel
• #9749 - HTTP/2 improvements.
• #9741 - Review of websocket parser, improve testing & comments.
• #9728 - Fixes to QPACK configuration from SETTINGS frames.
• #9715 - deprecate PushSessionCacheFilter
• #9685 - Jetty doesn't set the date header on error responses
• #9682 - RetainableByteBuffer buffer release bug in WebSocket
• #9554 - Move (qpack/hpack) HuffmanDecoder / HuffmanEncoder / NBitInteger* to common location
• #9476 - onCompleteFailure called multiple times
• #8926 - HttpClient GZIPContentDecoder should remove Content-Length and Content-Encoding: gzip
• #8556 - ServletContext.getSessionTimeout() incorrectly throws IllegalStateException
• #8405 - Servlet 3.1 ReadListener.onAllDataRead() is called twice under h2 or h2c if the server doesn't respond within 30s
• #7091 - Add SOCKS5 support (@huisongma)

10.0.16

Security Updates

This release addresses:

• GHSA-58qw-p7qm-5rvh - provides a workaround for direct users of XmlParser
• CVE-2023-40167
• CVE-2023-36478
• CVE-2023-36479
• CVE-2023-41900

Special Thanks to the following Eclipse Jetty community members

• @strogiyotec (Almas Abdrazak)
• @huisongma (huisongma)
• @garydgregory (Gary Gregory)

Changelog

• #10397 - Iso88591StringBuilder.append seems to have a logic error
• #10388 - Jetty10 inetaccess mod started error
• #10352 - Jetty accepts "+" prefixed value in Content-Length (CVE-2023-40167)
• #10329 - Various cleanups in HttpParser
• #10271 - jetty.sh does not stop jetty anymore
• #10211 - NPE in ArrayByteBufferPool.findOldestEntry()
• #10176 - cleanups of DateCache
• #10160 - Verify PROXY_AUTHENTICATION is sent to forward proxies
• #10145 - WritePendingException over HTTP/2 tunnel
• #10143 - Startup fails due to IllegalArgumentException: Comparison method violates its general contract
• #10135 - Websocket: Using PerMessageDeflateExtension and flush in batchMode send FLUSH_FRAME to client.
• #10105 - Document that Request objects are not reusable
• #10086 - Revisiting ProxyConfiguration.getProxies()
• #10066 - Allow SAXParserFactory or SAXParser to be configured in Jetty's XmlParser class - Allows for GHSA-58qw-p7qm-5rvh workaround
• #9997 - No progress during Gzip Request Inflation results in bogus error
• #9947 - Cannot invoke "org.eclipse.jetty.io.ManagedSelector.getTotalKeys()" because "selector" is null (@strogiyotec)
• #9938 - Bulletproof AbstractProxyServlet#destory() to make it easier to write (@garydgregory)
• #9895 - A MessageTooLargeException doesn't close a WebSocket connection
• #9887 - Deprecate CGI Servlet (CVE-2023-36479)
• #9798 - review and cleanup of HTTP/3 QPACK Integer and String encoding
• #9777 - CrossOriginFilter does not return Vary header on no-cors mode
• #9761 - H3: Fix racy read from stream-less channel
• #9749 - HTTP/2 improvements.
• #9741 - Review of websocket parser, improve testing & comments.
• #9728 - Fixes to QPACK configuration from SETTINGS frames.
• #9715 - deprecate PushSessionCacheFilter
• #9685 - Jetty doesn't set the date header on error responses
• #9682 - RetainableByteBuffer buffer release bug in WebSocket
• #9554 - Move (qpack/hpack) HuffmanDecoder / HuffmanEncoder / NBitInteger* to common location
• #9476 - onCompleteFailure called multiple times
• #8926 - HttpClient GZIPContentDecoder should remove Content-Length and Content-Encoding: gzip
• #8556 - ServletContext.getSessionTimeout() incorrectly throws IllegalStateException
• #8405 - Servlet 3.1 ReadListener.onAllDataRead() is called twice under h2 or h2c if the server doesn't respond within 30s
• #7091 - Add SOCKS5 support (@huisongma)

9.4.52.v20230823

Sponsored Release

This is a release of the End of Community Support Jetty 9.x series that was sponsored by a support contract from Webtide.com

Security Updates

This release addresses:

• GHSA-58qw-p7qm-5rvh - provides a workaround for direct users of XmlParser
• CVE-2023-40167
• CVE-2023-36479
• CVE-2023-41900

Special Thanks to the following Eclipse Jetty community members

• @RangerRick (Benjamin Reed)

Changelog

• #10352 - Jetty accepts "+" prefixed value in Content-Length (CVE-2023-40167)
• #10337 - SizeLimitHandler does not enforce 0 responseLimit
• #10169 - make sure that a ServiceLoader is retrieved before iterating (@RangerRick)
• #10066 - Allow SAXParserFactory or SAXParser to be configured in Jetty's XmlParser class - Allows for GHSA-58qw-p7qm-5rvh workaround
• #9887 - Deprecate CGI Servlet (CVE-2023-36479)
• #9716 - Deprecate PushSessionCacheFilter
• #9660 - OpenId Revoked authentication allows one request (CVE-2023-41900)
• #9476 - onCompleteFailure called multiple times

12.0.0

Important Notes

• New Environment System (ee10 / ee9 / ee8)
• Supports ee10 / ee9 / ee8 at the same time (in different deployed webapps)
  • See Jetty 11 to 12 Migration Docs for help finding the new maven coordinates for EE specific artifacts.
• Jetty Core no longer has dependencies on any Jakarta EE Spec

Security Updates

• This release provides a workaround for Security Advisory GHSA-58qw-p7qm-5rvh

Special Thanks to the following Eclipse Jetty community members

@kohlschuetter (Christian Kohlschütter)
@gregpoulos (Greg Poulos)

Changelog

• #10231 - DefaultServlet no longer supports POST and OPTIONS and returns a 405 instead
• #10229 - HttpConfiguration.setIdleTimeout() breaks long running requests
• #10227 - EE10 Unable to use Cookie attributes with HttpServletResponse.addCookie(jakarta.servlet.http.Cookie)
• #10205 - fixes for jetty 12 ee8 websocket demos
• #10178 - Fix demo-spec webapp failures
• #10066 - Allow SAXParserFactory or SAXParser to be configured in Jetty's XmlParser class - Allows for GHSA-58qw-p7qm-5rvh workaround
• #10165 - rename JAVAX_API to JAKARTA_API in ee9 and ee10 Source
• #10155 - EE10 Servlet include after HttpServletResponse.getWriter().println() omits Content-Length from the response
• #10135 - Websocket: Using PerMessageDeflateExtension and flush in batchMode send FLUSH_FRAME to client.