Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for Jetty 12 to address CVE-2024-6763 #235

Open
kevin-lee opened this issue Nov 12, 2024 · 0 comments · May be fixed by #236
Open

Add support for Jetty 12 to address CVE-2024-6763 #235

kevin-lee opened this issue Nov 12, 2024 · 0 comments · May be fixed by #236

Comments

@kevin-lee
Copy link

kevin-lee commented Nov 12, 2024
edited
Loading

Add support for Jetty 12 to address CVE-2024-6763

Why?

Any Other Things to Know?

  • Jetty 12 requires Java 17, so dropping support for Java 11 is necessary.
  • Jetty has multiple versions supporting different versions of Jakarta EE (Java EE). However, for the first version supporting Jetty 12, it is better to support only Jakarta EE 8 to minimize changes, as the API namespace moved from javax to jakarta starting with Jakarta EE 9.

NOTE:

I've done it for http4s 0.22 (http4s/http4s#7579), and I'm working on it for http4s-jetty now.
kevin-lee added a commit to kevin-lee/http4s-jetty that referenced this issue Nov 13, 2024
@kevin-lee
Close http4s#235: Support Jetty 12
d79a27d 
- Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority).
- The current version of http4s-jetty uses Jetty 10.
- Community support for Jetty 10 and Jetty 11 ended in January 2024.
- To solve the issue, http4s-jetty should use Jetty 12, the current stable version.
- Jetty 12 requires Java 17, so dropping support for Java 11 is necessary.
- Jetty has multiple versions supporting different versions of Jakarta EE (Java EE). However, for the first version supporting Jetty 12, it is better to support only Jakarta EE 8 to minimize changes, as the API namespace moved from javax to jakarta starting with Jakarta EE 9.
@kevin-lee kevin-lee linked a pull request Nov 13, 2024 that will close this issue
Open
kevin-lee added a commit to kevin-lee/http4s-jetty that referenced this issue Nov 13, 2024
@kevin-lee
Close http4s#235: Support Jetty 12
c197c26 
- Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority).
- The current version of http4s-jetty uses Jetty 10.
- Community support for Jetty 10 and Jetty 11 ended in January 2024.
- To solve the issue, http4s-jetty should use Jetty 12, the current stable version.
- Jetty 12 requires Java 17, so dropping support for Java 11 is necessary.
- Jetty has multiple versions supporting different versions of Jakarta EE (Java EE). However, for the first version supporting Jetty 12, it is better to support only Jakarta EE 8 to minimize changes, as the API namespace moved from javax to jakarta starting with Jakarta EE 9.
kevin-lee added a commit to kevin-lee/http4s-jetty that referenced this issue Nov 13, 2024
@kevin-lee
Close http4s#235: Support Jetty 12
c865ba6 
- Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority).
- The current version of http4s-jetty uses Jetty 10.
- Community support for Jetty 10 and Jetty 11 ended in January 2024.
- To solve the issue, http4s-jetty should use Jetty 12, the current stable version.
- Jetty 12 requires Java 17, so dropping support for Java 11 is necessary.
- Jetty has multiple versions supporting different versions of Jakarta EE (Java EE). However, for the first version supporting Jetty 12, it is better to support only Jakarta EE 8 to minimize changes, as the API namespace moved from javax to jakarta starting with Jakarta EE 9.
@kevin-lee kevin-lee changed the title Support Jetty 12 Add support for Jetty 12 to address CVE-2024-6763 Nov 13, 2024
kevin-lee added a commit to kevin-lee/http4s-jetty that referenced this issue Nov 13, 2024
@kevin-lee
Close http4s#235: Add support for Jetty 12 to address CVE-2024-6763
cff1987 
- Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority).
- The current version of http4s-jetty uses Jetty 10.
- Community support for Jetty 10 and Jetty 11 ended in January 2024.
- To solve the issue, http4s-jetty should use Jetty 12, the current stable version.
- Jetty 12 requires Java 17, so dropping support for Java 11 is necessary.
- Jetty has multiple versions supporting different versions of Jakarta EE (Java EE). However, for the first version supporting Jetty 12, it is better to support only Jakarta EE 8 to minimize changes, as the API namespace moved from `javax` to `jakarta` starting with Jakarta EE 9.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Close #235: Add support for Jetty 12 to address CVE-2024-6763 kevin-lee/http4s-jetty
1 participant
@kevin-lee