[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-announce] Jetty releases 7.6.0 and 8.1.0


Jetty releases 7.6.0 and 8.1.0 have been promoted to maven central and will soon be available for download via http://eclipse.org/jetty

These releases represent a major effort by the team to refactor the IO layer to handle several issues that have emerged over the last year with respect to the latest JVMs and browsers, such as several 100% CPU spins fixed that resulted from strangely closed SSL connection.   Furthermore, the releases contain some additional protection from some denial of service attacks that have been discovered that affect a wide range of web servers.

We recommend that you plan to evaluate and upgrade to these releases as soon as possible.  Do to the nature of these changes, it is impossible to back the most significant ones to Jetty-6 and thus these releases represent the effective EOL for jetty-6, as no more general releases are planned.

Thanks to the jetty team who have  worked extremely hard over the last few months on these releases.  We've also very much appreciate the efforts of users who have raised issues, provided debug/traces and have tried out various snapshots and RCs.


jetty-8.1.0.v20120127 - 27 January 2012
 + 368773 allow authentication to be set by non securityHandler handlers
 + 368992 avoid update key while flushing during a write
 + 369216 turned off the shared resource cache
 + 369349 replace quotes with a space escape method

jetty-8.1.0.RC5 - 20 January 2012
 + 359329 Prevent reinvocation of LoginModule.login with jaspi for already
   authed user
 + 368632 Remove superfluous removal of org.apache.catalina.jsp_file
 + 368633 fixed configure.dtd resource mappings
 + 368635 moved lifecycle state reporting from toString to dump
 + 368773 process data constraints without realm
 + 368787 always set token view to new header buffers in httpparser
 + 368821 improved test harness
 + 368920 JettyAwareLogger always formats the arguments.
 + 368948 POM for jetty-jndi references unknown version for javax.activation.
 + 368992 NPE in HttpGenerator.prepareBuffers() test case.
 + JETTY-1475 made output state fields volatile to provide memory barrier for
   non dispatched thread IO

jetty-8.1.0.RC4 - 13 January 2012
 + 365048 jetty Http client does not send proxy authentication when requesting
   a Https-resource through a web-proxy.
 + 366774 removed XSS vulnerbility
 + 367099 Upgrade jetty-websocket for RFC 6455 - Addendum.
 + 367433 added tests to investigate
 + 367435 improved D00 test harness
 + 367485 HttpExchange canceled before response do not release connection.
 + 367502 WebSocket connections should be closed when application context is  stopped.
 + 367548 jetty-osgi-boot must not import the nested package twice
 + 367591 corrected configuration.xml version to 7.6
 + 367635 Added support for start.d directory
 + 367716 simplified maxIdleTime logic
 + 368035 WebSocketClientFactory does not invoke super.doStop().
 + 368060 do not encode sendRedirect URLs
 + 368112 NPE on <jsp-config><taglib> element parsing web.xml
 + 368113 Support servlet mapping to ""
 + 368114 Protect against non-Strings in System properties for Log
 + 368189 WebSocketClientFactory should not manage external thread pool.
 + 368240 Improve AggregateLifeCycle handling of shared lifecycles
 + 368215 Remove debug from jaspi
 + 368240 Better handling of locally created ThreadPool. Forgot to null out    field.
 + 368291 Change warning to info for NoSuchFieldException on    BeanELResolver.properties
 + 367638 limit number of form parameters to avoid DOS
 + JETTY-1467 close half closed when idle

jetty-8.1.0.RC2 - 22 December 2011
 + 359329 jetty-jaspi must exports its packages. jetty-plus must import   javax.security
 + 364638 HttpParser closes if data received while seeking EOF. Tests fixed to  cope
 + 364921 Made test less time sensitive
 + 364936 use Resource for opening URL streams
 + 365267 NullPointerException in bad Address
 + 365375 ResourceHandler should be a HandlerWrapper
 + 365750 Support WebSocket over SSL, aka wss://
 + 365932 Produce jetty-websocket aggregate jar for android use
 + 365947 Set headers for Auth failure and retry in http-spi
 + 366316 Superfluous printStackTrace on 404
 + 366342 Dont persist DosFilter trackers in http session
 + 366730 pass the time idle to onIdleExpire
 + 367048 test harness for guard on suspended requests
 + 367175 SSL 100% CPU spin in case of blocked write and RST.
 + 367219 WebSocketClient.open() fails when URI uses default ports.
 + 367383 jsp-config element must be returned for    ServletContext.getJspConfigDescriptor
 + JETTY-1460 suppress PrintWriter exceptions
 + JETTY-1463 websocket D0 parser should return progress even if no fill done
 + JETTY-1465 NPE in ContextHandler.toString

jetty-8.1.0.RC1 - 06 December 2011
 + 360245 The version of the javax.servlet packages to import is 2.6 instead of 3.0
 + 365370 ServletHandler can fall through to nested handler

jetty-8.1.0.RC0 - 30 November 2011
 + 352565 cookie httponly flag ignored
 + 353285 ServletSecurity annotation ignored
 + 357163 jetty 8 ought to proxy jetty8 javadocs
 + 357209 JSP tag listeners not called
 + 360051 SocketConnectionTest.testServerClosedConnection is excluded.
 + 361135 Allow session cookies to NEVER be marked as secure, even on HTTPS
   requests.
 + 362249 update shell scripts to jetty8
 + 363878 Add ecj compiler to jetty-8 for jsp
 + 364283 can't parse the servlet multipart-config for the web.xml
 + 364430 Support web.xml enabled state for servlets

  jetty-7.6.0.v20120127 - 27 January 2012
 + 368773 allow authentication to be set by non securityHandler handlers
 + 368992 avoid update key while flushing during a write
 + 369216 turned off the shared resource cache
 + 369349 replace quotes with a space escape method

jetty-7.6.0.RC5 - 20 January 2012
 + 359329 Prevent reinvocation of LoginModule.login with jaspi for already
   authed user
 + 368632 Remove superfluous removal of org.apache.catalina.jsp_file
 + 368633 fixed configure.dtd resource mappings
 + 368635 moved lifecycle state reporting from toString to dump
 + 368773 process data constraints without realm
 + 368787 always set token view to new header buffers in httpparser
 + 368821 improved test harness
 + 368920 JettyAwareLogger always formats the arguments.
 + 368948 POM for jetty-jndi references unknown version for javax.activation.
 + 368992 avoid non-blocking flush when writing to avoid setting !_writable
   without _writeblocked
 + JETTY-1475 made output state fields volatile to provide memory barrier for
   non dispatched thread IO

jetty-7.6.0.RC4 - 13 January 2012
 + 365048 jetty Http client does not send proxy authentication when requesting
   a Https-resource through a web-proxy.
 + 366774 removed XSS vulnerbility
 + 367099 Upgrade jetty-websocket for RFC 6455 - Addendum.
 + 367716 simplified maxIdleTime logic
 + 368035 WebSocketClientFactory does not invoke super.doStop().
 + 368060 do not encode sendRedirect URLs
 + 368114 Protect against non-Strings in System properties for Log
 + 368189 WebSocketClientFactory should not manage external thread pool.
 + 368215 Remove debug from jaspi
 + 368240 Improve AggregateLifeCycle handling of shared lifecycles
 + 368291 Change warning to info for NoSuchFieldException on
   BeanELResolver.properties

jetty-7.6.0.RC3 - 05 January 2012
 + 367433 added tests to investigate
 + 367435 improved D00 test harness
 + 367485 HttpExchange canceled before response do not release connection.
 + 367502 WebSocket connections should be closed when application context is
   stopped.
 + 367591 corrected configuration.xml version to 7.6
 + 367635 Added support for start.d directory
 + 367638 limit number of form parameters to avoid DOS
 + JETTY-1467 close half closed when idle

jetty-7.6.0.RC2 - 22 December 2011
 + 364638 HttpParser closes if data received while seeking EOF. Tests fixed to
   cope
 + 364921 Made test less time sensitive for ssl
 + 364936 use Resource for opening URL streams
 + 365267 NullPointerException in bad Address
 + 365375 ResourceHandler should be a HandlerWrapper
 + 365750 Support WebSocket over SSL, aka wss://
 + 365932 Produce jetty-websocket aggregate jar for android use
 + 365947 Set headers for Auth failure and retry in http-spi
 + 366316 Superfluous printStackTrace on 404
 + 366342 Dont persist DosFilter trackers in http session
 + 366730 pass the time idle to onIdleExpire
 + 367048 test harness for guard on suspended requests
 + 367175 SSL 100% CPU spin in case of blocked write and RST.
 + 367219 WebSocketClient.open() fails when URI uses default ports.
 + JETTY-1460 suppress PrintWriter exceptions
 + JETTY-1463 websocket D0 parser should return progress even if no fill done
 + JETTY-1465 NPE in ContextHandler.toString

jetty-7.6.0.RC1 - 04 December 2011
 + 352565 cookie httponly flag ignored
 + 353285 ServletSecurity annotation ignored
 + 357163 jetty 8 ought to proxy jetty8 javadocs
 + 357209 JSP tag listeners not called
 + 360051 SocketConnectionTest.testServerClosedConnection is excluded.
 + 361135 Allow session cookies to NEVER be marked as secure, even on HTTPS
   requests.
 + 362249 update shell scripts to jetty8
 + 363878 Add ecj compiler to jetty-8 for jsp
 + 364283 can't parse the servlet multipart-config for the web.xml
 + 364430 Support web.xml enabled state for servlets
 + 365370 ServletHandler can fall through to nested handler

jetty-7.6.0.RC0 - 29 November 2011
 + Refactored NIO layer for better half close handling
 + 349110 fixed bypass chunk handling
 + 360546 handle set count exceeding max integer
 + 362111 StdErrLog.isDebugEnabled() returns true too often
 + 362113 Improve Test Coverage of org.eclipse.jetty.util.log classes
 + 362407 setTrustStore(Resource) -> setTrustStoreResource(R)
 + 362447 add setMaxNonceAge() to DigestAuthenticator
 + 362468 NPE at line org.eclipse.jetty.io.BufferUtil.putHexInt
 + 362614 NPE in accepting connection
 + 362626 IllegalStateException thrown when SslContextFactory preconfigured
   with SSLContext
 + 362696 expand virtual host configuration options to ContextHandler and add
   associated test case for new behavior
 + 362742 improved UTF8 exception reason
 + 363124 improved websocket close handling
 + 363381 Throw IllegalStateException if Request uri is null on getServerName
 + 363408 GzipFilter should not attempt to compress HTTP status 204
 + 363488 ShutdownHandler use stopper thread
 + 363718 Setting java.rmi.server.hostname in jetty-jmx.xml
 + 363757 partial fix
 + 363785 StdErrLog must use system-dependent EOL.
 + 363943 ignore null attribute values
 + 363993 EOFException parsing HEAD response in HttpTester
 + 364638 SCEP does idle timestamp checking. New setCheckForIdle method
   controls onIdleExpired callback. 364921 a second onIdleExpired callback will
   result in close rather than a shutdown output.
 + 364657 Support HTTP only cookies from standard API
 + JETTY-1442 add _hostHeader setter for ProxyRule