The work to address CVE-2011-4461 was commit'd on Dec 29th, 2011 https://github.com/eclipse/jetty.project/commit/085c79d7d6cfbccc02821ffdb64968593df3e0bf
The recently released Jetty 7.6.0.RC3 contains this fix. -- Joakim Erdfelt [email protected] http://webtide.com | http://intalio.com (the people behind jetty and cometd) On Thu, Jan 5, 2012 at 3:34 PM, Justin Cummins <[email protected]> wrote: > Last week, a widespread denial of service vulnerability was > announced<http://www.nruns.com/_downloads/advisory28122011.pdf> wherein > the attacker can choose specific strings (or other objects) which all > resolve to the same hashtable key. A POST request would be sufficient to > trigger the denial of service. > > Jetty is listed as one of the vulnerable web servers (among many others) > and Oracle, I believe, has stated that they will not release any update. > One mitigation is limiting a request size, however, the attack's effect is > only reduced. > > Is anyone working on a real fix for Jetty by placing request parameters > into a different Map structure? > > _______________________________________________ > jetty-users mailing list > [email protected] > https://dev.eclipse.org/mailman/listinfo/jetty-users > >
_______________________________________________ jetty-users mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/jetty-users
