As explained in the PR there are no real security issues but some companies
using scanners may have to live a long time with alarms etc...
And they don't have any "safe" (by "safe" I mean CVEs free :)) solution to
upgrade before the version with Jetty 10.0.11 land into LTS (and I do not
mention
Are we talking about the version of Jetty to be shipped in 2.346.3 or
the version of Jetty to be shipped in 2.361.1?
2.361.1 is far enough away that I would be in favor of a backport of
Jetty 10.0.11, once it has been in the weekly release for a week or
two without serious regressions. This would
(as mentioned on the PR)
My concern with backporting the Jetty changes is that this PR will never go
to weekly as weekly is now on Jetty 10.
But if we don't backport it, that would mean security scanners complaining
about a new LTS line which isn't ideal...
On Tue, 2 Aug 2022 at 22:06, Olivier
Hi
If LTS will be 2.361 it would be good to have winstone upgrade in.
https://github.com/jenkinsci/jenkins/pull/6955
it will avoid all security scanners to complain with false alarms on the
Jetty versions.
On Sat, 30 Jul 2022 at 06:23, 'Daniel Beck' via Jenkins Developers <
