[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-announce] Critical Security Release of Jetty 9.2.9.v20150224

The Jetty Project is announcing a critical security release of JettyÂ

 ÂJetty 9.2.9.v20150224

This release is considered a critical security release for all
users of Jetty 9.2.3 through 9.2.8.

The Highlights:

 + A critical security vulnerability has been fixed with how Jetty
  reports 400 Invalid Character responses when the HttpParser
  encounters an error.
  This 400 response can contain information from past buffer
  use from within Jetty. Revealing random buffer contents
  from other previously handled requests.

For details see either the bug at

Â* https://bugs.eclipse.org/bugs/show_bug.cgi?id=460642
Or the markdown about the vulnerability at

Â* http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/advisories/2015-02-24-httpparser-error-buffer-bleed.md
Â* https://github.com/eclipse/jetty.project/blob/master/advisories/2015-02-24-httpparser-error-buffer-bleed.md
Distribution Downloads:

- http://download.eclipse.org/jetty/

The artifacts are also available in the Global Central Repository.

- http://central.maven.org/

Eclipse P2 repositories are available now.

If you find an issue with this release you can open a bug through the
guided bugzilla page located here:

- https://bugs.eclipse.org/bugs/enter_bug.cgi?product=Jetty&format=guided

Documentation can be found at our documentation hub

- https://www.eclipse.org/jetty/documentation/

Finally, a reminder that both dev and prod support are offered through
Webtide (www.webtide.com), feel free to contact us through that site
or ping me directly if you are interested in learning more.
Documentation PDF's are available for direct download on the
webtide.com website as well.

The Jetty Development Team

jetty-9.2.9.v20150224 - 24 February 2015
Â+ 459273 Redundant license notices
Â+ 460176 When checking for precompiled jsp, ensure classname is present
Â+ 460180 Jaas demo has wrong doco in html
Â+ 460291 AsyncGzipFilter Mappings
Â+ 460371 AsyncMiddleManServlet.GZipContentTransformer fails if last transform
 Âhas no output
Â+ 460372 if web.xml does not contain jspc maven plugin insertionMarker
 Âbehavior is wrong
Â+ 460443 Race condition releasing the response buffer.
Â+ 460642 HttpParser error 400 can expose previous buffer contents in HTTP
 Âstatus reason message

Joakim Erdfelt <joakim@xxxxxxxxxxx>
webtide.comÂ- intalio.com/jetty
Expert advice, services and support fromÂfrom the Jetty & CometD experts