[
https://issues.apache.org/jira/browse/IMPALA-11855?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Work on IMPALA-11855 started by Michael Smith.
----------------------------------------------
> Upgrade jetty to 9.4.47 due to CVE-2022-2047, CVE-2022-2048
> -----------------------------------------------------------
>
> Key: IMPALA-11855
> URL: https://issues.apache.org/jira/browse/IMPALA-11855
> Project: IMPALA
> Issue Type: Bug
> Components: Frontend
> Affects Versions: Impala 4.2.0
> Reporter: Michael Smith
> Assignee: Michael Smith
> Priority: Major
>
> CVE-2022-2047 - In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru
> 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment
> of an http scheme URI, the Jetty HttpURI class improperly detects an invalid
> input as a hostname. This can lead to failures in a Proxy scenario.
> CVE-2022-2048 - In Eclipse Jetty HTTP/2 server implementation, when
> encountering an invalid HTTP/2 request, the error handling has a bug that can
> wind up not properly cleaning up the active connections and associated
> resources. This can lead to a Denial of Service scenario where there are no
> enough resources left to process good requests.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
