Michael Smith created IMPALA-11855:
--------------------------------------
Summary: Upgrade jetty to 9.4.47 due to CVE-2022-2047,
CVE-2022-2048
Key: IMPALA-11855
URL: https://issues.apache.org/jira/browse/IMPALA-11855
Project: IMPALA
Issue Type: Bug
Components: Frontend
Affects Versions: Impala 4.2.0
Reporter: Michael Smith
CVE-2022-2047 - In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru
10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment
of an http scheme URI, the Jetty HttpURI class improperly detects an invalid
input as a hostname. This can lead to failures in a Proxy scenario.
CVE-2022-2048 - In Eclipse Jetty HTTP/2 server implementation, when
encountering an invalid HTTP/2 request, the error handling has a bug that can
wind up not properly cleaning up the active connections and associated
resources. This can lead to a Denial of Service scenario where there are no
enough resources left to process good requests.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
