10.0.10
joakime
released this
20 Jun 19:17
·
1236 commits
to jetty-10.0.x
since this release
Fixed Security Advisories
- (CVE-2022-2047) - GHSA-cj7v-27pg-wf7q - Invalid URI parsing may produce invalid HttpURI.authority
- (CVE-2022-2048) - GHSA-wgmr-mf83-7x4j - Invalid HTTP/2 requests can lead to denial of service
- (CVE-2022-2191) - GHSA-8mpp-f3f7-xc28 - SslConnection does not release pooled ByteBuffers in case of errors
Special Thanks to the following Eclipse Jetty community members
- @jianglai (Lai Jiang)
- @markslater (markslater)
- @prenagha (Padraic Renaghan)
Changelog
- #8161 - Improve SSLConnection buffers handling (Resolves CVE-2022-2191)
- #8136 - Cherry-pick of Improvements to PathSpec for Jetty 10.0.x
- #8134 - Improve cleanup of deflater/inflater pools for PerMessageDeflateExtension
- #8088 - Add option to configure exitVm on ShutdownMonitor from System properties
- #8067 - Wall time usage in DoSFilter RateTracker results in false positive alert
- #8057 - Support Http Response 103 (Early Hints)
- #8014 - Review HttpRequest URI construction (Resolves CVE-2022-2047)
- #8008 - Add compliance mode for LEGACY multipart parser in Jetty 10+
- #7994 - Ability to construct a detached client Request
- #7981 - Add TRANSFER_ENCODING violation for MultiPart RFC7578 parser.
- #7977 - UpgradeHttpServletRequest.setAttribute & UpgradeHttpServletRequest.removeAttribute can throw NullPointerException
- #7975 -
ForwardedRequestCustomizer
setters do not clear existing handlers - #7953 - Fix StatisticsHandler in the case a Handler throws exception.
- #7935 - Review HTTP/2 error handling (Resolves CVE-2022-2048)
- #7929 - Correct requestlog formatString commented default (@prenagha)
- #7924 - Fix a typo in Javadoc (@jianglai)
- #7918 - PathMappings.asPathSpec does not allow root ServletPathSpec
- #7891 - Better Servlet PathMappings for Regex
- #7880 - DefaultServlet should not overwrite programmatically configured precompressed formats with defaults (@markslater)
- #7863 - Default servlet drops first accept-encoding header if there is more than one. (@markslater)
- #7858 - GZipHandler does not play nice with other handlers in HandlerCollection
- #7818 - Modifying of HTTP headers in HttpChannel.Listener#onResponseBegin is no longer possible with Jetty 10
- #7808 - Jetty duplicate set session cookie
- #7802 - HTTP/3 QPACK - do not expect section ack for zero required insert count
- #7754 - jetty.sh ignores JAVA_OPTIONS environment variable
- #7748 - Allow overriding of url-pattern mapping in ServletContextHandler to allow for regex or uri-template matching
- #7635 - QPACK decoder should fail connection if the encoder blocks more than SETTINGS_QPACK_BLOCKED_STREAMS
- #4414 - GZipHandler not excluding inflation for specified paths
- #1771 - Add module for SecuredRedirect support
Dependencies
- #8083 - Bump asciidoctorj to 2.5.4
- #8077 - Bump asciidoctorj-diagram to 2.2.3
- #7839 - Bump asm.version to 9.3
- #8142 - Bump biz.aQute.bndlib to 6.3.1
- #8075 - Bump checkstyle to 10.3
- #8056 - Bump error_prone_annotations to 2.14.0
- #8109 - Bump google-cloud-datastore to 2.7.0
- #8100 - Bump grpc-core to 1.47.0
- #7987 - Bump hawtio-default to 2.15.0
- #7934 - Bump hazelcast.version to 4.2.5
- #8003 - Bump jackson-annotations to 2.13.3
- #8004 - Bump jackson-core to 2.13.3
- #7849 - Bump jacoco-maven-plugin to 0.8.8
- #7937 - Bump jboss-logging to 3.5.0.Final
- #7815 - Bump jnr-ffi to 2.2.12
- #7967 - Bump kerb-simplekdc to 2.0.2
- #8029 - Bump logback-core to 1.3.0-alpha16
- #8064 - Bump mariadb-java-client to 3.0.5
- #7908 - Bump maven-antrun-plugin to 3.1.0
- #8001 - Bump maven-bundle-plugin to 5.1.6
- #7843 - Bump maven-clean-plugin to 3.2.0
- #8080 - Bump maven-invoker-plugin to 3.3.0
- #7902 - Bump maven-javadoc-plugin to 3.4.0
- #8079 - Bump maven-scm-provider-jgit to 1.13.0
- #7904 - Bump maven-site-plugin to 3.12.0
- #7900 - Bump maven.resolver.version to 1.8.0
- #7915 - Bump mongo-java-driver to 3.12.11
- #8108 - Bump openwebbeans.version to 2.0.27
- #7877 - Bump org.apache.aries.spifly.dynamic.bundle to 1.3.5
- #8123 - Bump org.apache.felix.framework to 7.0.5
- #8019 - Bump plexus-utils to 3.4.2
- #7859 - Bump protostream to 4.4.2.Final
- #8030 - Bump spotbugs-maven-plugin to 4.7.0.0
- #8031 - Bump testcontainers-bom to 1.17.2
- #7972 - Bump tycho-p2-repository-plugin to 2.7.3
- #8038 - Bump versions-maven-plugin to 2.11.0