[jira] [Commented] (AMQ-4940) Update the version of Jetty used

Wed, 08 Oct 2014 07:41:33 -0700 

    [ 
https://issues.apache.org/jira/browse/AMQ-4940?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14163557#comment-14163557
 ] 

Steve Siebert commented on AMQ-4940:
------------------------------------

Looks like the work done on AMQ-3693 (fix for CVE-2011-4461) didn't actually 
fix the problem, as later versions of Jetty were added to the list, and the 
Jetty version used by ActiveMQ is being picked up SCAP scanners: 
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4461

I think this raises the issue of updating Jetty from a "why aren't we using a 
newer version" to a security issue - possibly reopen AMQ-3693 a well? Wasn't 
really a "regression" so much as not enough information at the time the work 
was done =)

I'm just looking into it now to see what kind of work would be needed to get 
this done.  It may be a lot.  I would like to help by submitting a patch, both 
for 5.10 but also a back port to 5.9 if that is acceptable (as we'll need to do 
some more work on our side to support the security changes in 5.10) - so any 
pointers as to what needs to be looked at will help. 

Obviously activemq-web uses jetty, but it looks like jetty may also be used to 
implements transport services as well (activemq-http), in several module unit 
tests  (activemq-fileserver, activemq-ampq, activemq-http, 
activemq-runtime-config, activemq-unit-tests, activemq-web-console, 
activemq-web-demo) and referenced in other modules pom (activemq-leveldb-store, 
activemq-osgi)...and of course need changes to the assembly to use the correct 
jetty config.

That's just a first glance....so any other pointers would be appreciated =)

> Update the version of Jetty used
> --------------------------------
>
>                 Key: AMQ-4940
>                 URL: https://issues.apache.org/jira/browse/AMQ-4940
>             Project: ActiveMQ
>          Issue Type: Improvement
>         Environment: activemq-5.10-20131214.063224-32
>            Reporter: Lionel Cons
>
> When trying the latest 5.10 snapshot, I was surprised to see a quite old 
> version of Jetty:
> 2013-12-16 14:41:10,665 [WrapperSimpleAppMain] INFO Server - 
> jetty-7.6.9.v20130131
> Why is ActiveMQ using Jetty 7 instead of Jetty 8 or 9?
> In any case, could ActiveMQ use a more recent version of Jetty like 
> 7.6.14.v20131031 (if it must stick to Jetty 7)?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to