11.0.16
joakime
released this
30 Aug 23:30
·
610 commits
to jetty-11.0.x
since this release
Security Updates
This release addresses:
- GHSA-58qw-p7qm-5rvh - provides a workaround for direct users of XmlParser
- CVE-2023-40167
- CVE-2023-36478
- CVE-2023-36479
- CVE-2023-41900
Special Thanks to the following Eclipse Jetty community members
- @strogiyotec (Almas Abdrazak)
- @huisongma (huisongma)
- @garydgregory (Gary Gregory)
Changelog
- #10397 - Iso88591StringBuilder.append seems to have a logic error
- #10388 - Jetty10 inetaccess mod started error
- #10352 - Jetty accepts "+" prefixed value in Content-Length (CVE-2023-40167)
- #10329 - Various cleanups in HttpParser
- #10271 - jetty.sh does not stop jetty anymore
- #10211 - NPE in ArrayByteBufferPool.findOldestEntry()
- #10176 - cleanups of DateCache
- #10160 - Verify PROXY_AUTHENTICATION is sent to forward proxies
- #10145 - WritePendingException over HTTP/2 tunnel
- #10143 - Startup fails due to IllegalArgumentException: Comparison method violates its general contract
- #10135 - Websocket: Using PerMessageDeflateExtension and flush in batchMode send FLUSH_FRAME to client.
- #10105 - Document that Request objects are not reusable
- #10086 - Revisiting ProxyConfiguration.getProxies()
- #10066 - Allow
SAXParserFactory
orSAXParser
to be configured in Jetty'sXmlParser
class - Allows for GHSA-58qw-p7qm-5rvh workaround - #9997 - No progress during Gzip Request Inflation results in bogus error
- #9947 - Cannot invoke "org.eclipse.jetty.io.ManagedSelector.getTotalKeys()" because "selector" is null (@strogiyotec)
- #9938 - Bulletproof AbstractProxyServlet#destory() to make it easier to write (@garydgregory)
- #9895 - A MessageTooLargeException doesn't close a WebSocket connection
- #9887 - Deprecate CGI Servlet (CVE-2023-36479)
- #9798 - review and cleanup of HTTP/3 QPACK Integer and String encoding
- #9777 - CrossOriginFilter does not return Vary header on no-cors mode
- #9761 - H3: Fix racy read from stream-less channel
- #9749 - HTTP/2 improvements.
- #9741 - Review of websocket parser, improve testing & comments.
- #9728 - Fixes to QPACK configuration from SETTINGS frames.
- #9715 - deprecate PushSessionCacheFilter
- #9685 - Jetty doesn't set the date header on error responses
- #9682 - RetainableByteBuffer buffer release bug in WebSocket
- #9554 - Move (qpack/hpack) HuffmanDecoder / HuffmanEncoder / NBitInteger* to common location
- #9476 - onCompleteFailure called multiple times
- #8926 - HttpClient GZIPContentDecoder should remove Content-Length and Content-Encoding: gzip
- #8556 - ServletContext.getSessionTimeout() incorrectly throws IllegalStateException
- #8405 - Servlet 3.1 ReadListener.onAllDataRead() is called twice under h2 or h2c if the server doesn't respond within 30s
- #7091 - Add SOCKS5 support (@huisongma)