The Jetty team is announcing the immediate availability of new releases for the Eclipse Jetty 9.4.x, 10.0.x, 11.0.x, and 12.0.x branches.
These releases include a number of bug fixes and improvements, along with addressing 2 HTTP/2 advisories. Note: The Jetty 9.4.53 release was sponsored by a commercial support contract with webtide.com See the github release pages for changelog. * https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.53.v20231009 * https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.17 * https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.17 * https://github.com/eclipse/jetty.project/releases/tag/jetty-12.0.2 The Security Advisories being published today are: *HTTP/2 DDoS Vector* CVE: CVE-2023-44487 - (Industry / Spec level CVE, not Jetty specific) Severity: High (7.5) Impacted Versions: org.eclipse.jetty.http2:http2-common >= 9.3.0, <= 9.4.52 org.eclipse.jetty.http2:http2-common >= 10.0.0, <= 10.0.16 org.eclipse.jetty.http2:http2-common >= 11.0.0, <= 11.0.16 org.eclipse.jetty.http2:http2-server >= 9.3.0, <= 9.4.52 org.eclipse.jetty.http2:http2-server >= 10.0.0, <= 10.0.16 org.eclipse.jetty.http2:http2-server >= 11.0.0, <= 11.0.16 org.eclipse.jetty.http2:jetty-http2-common >= 12.0.0, <= 12.0.1 org.eclipse.jetty.http2:jetty-http2-server >= 12.0.0, <= 12.0.1 Fixed Versions: 9.4.53 10.0.17 11.0.17 12.0.2 *HTTP/2 HPACK integer overflow and buffer allocation* CVE: CVE-2023-36478 Advisory: https://github.com/advisories/GHSA-wgh7-54f2-x98r Severity: High (7.5) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Weakness: CWE-190 - Integer Overflow or Wraparound CWE-400 - Uncontrolled Resource Consumption Impacted Versions: org.eclipse.jetty:jetty-http >= 9.3.0, <= 9.4.52 org.eclipse.jetty:jetty-http >= 10.0.0, <= 10.0.15 org.eclipse.jetty:jetty-http >= 11.0.0, <= 11.0.15 org.eclipse.jetty.http2:http2-hpack >= 9.3.0, <= 9.4.52 org.eclipse.jetty.http2:http2-hpack >= 10.0.0, <= 10.0.15 org.eclipse.jetty.http2:http2-hpack >= 11.0.0, <= 11.0.15 org.eclipse.jetty.http3:http3-qpack >= 10.0.0, <= 10.0.15 org.eclipse.jetty.http3:http3-qpack >= 11.0.0, <= 11.0.15 Fixed Versions: 9.4.53 10.0.16 11.0.16 Unaffected Versions: 12.0.x These releases are available on the Eclipse Jetty project download page or from the Maven Central repository: * Eclipse: https://eclipse.dev/jetty/download.php * Maven Central: https://repo1.maven.org/maven2/org/eclipse/jetty/ Documentation for these releases can be found on the Eclipse Jetty project site: * https://eclipse.dev/jetty/documentation.php If you find any issues with these releases, or if you want to suggest future enhancements, please file an issue on the Jetty GitHub page: * https://github.com/eclipse/jetty.project/issues/new Commercial production and development support for Jetty is offered through Webtide (webtide.com). Please contact us for more information or email je...@webtide.com to discuss your specific needs. Best Regards, The Jetty Development Team
_______________________________________________ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
