Merge pull request #6134 from eclipse/jetty-9.4.x-version-cve-update

Update VERSION.txt

VERSION.txt

@@ -3,15 +3,15 @@ jetty-9.4.40-SNAPSHOT
 jetty-9.4.39.v20210325 - 25 March 2021
  + 6034 SslContextFactory may select a wildcard certificate during SNI
    selection when a more specific SSL certificate is present
- + 6050 Websocket: NotUtf8Exception after upgrade 9.4.35 -> 9.4.36 or newer
+ + 6050 Websocket: NotUtf8Exception after upgrade to 9.4.36 or newer
  + 6052 Cleanup TypeUtil and ModuleLocation to allow jetty-client/hybrid to
    work on Android
  + 6063 Allow override of hazelcast version when using module
- + 6072 jetty server high CPU when client send data length > 17408
+ + 6072 jetty server high CPU when client send data length > 17408 - Resolves CVE-2021-28165
  + 6085 Jetty keeps Sessions in use after "Duplicate valid session cookies"
    Message
- + 6101 Normalise ambiguous URIs
- + 6102 Exclude webapps directory from deployment scan
+ + 6101 Normalise ambiguous URIs - Resolves CVE-2021-28164
+ + 6102 Exclude webapps directory from deployment scan - Resolves CVE-2021-28163
 
 jetty-9.4.38.v20210224 - 24 February 2021
  + 4275 Path Normalization/Traversal - Context Matching
@@ -39,7 +39,7 @@ jetty-9.4.37.v20210219 - 19 February 2021
  + 5979 Configurable gzip Etag extension
 
 jetty-9.4.36.v20210114 - 14 January 2021
- + 5310 Jetty Http2 client discards the response fames when there is GOAWAY and
+ + 5310 Jetty Http2 client discards the response frames when there is GOAWAY and
    sends RST_STREAM
  + 5499 Improve temporary buffer usage for WebSocket PerMessageDeflate
  + 5633 Allow to configure HttpClient request authority
@@ -167,7 +167,6 @@ jetty-9.4.31.v20200723 - 23 July 2020
  + 5057 `javax.servlet.include.context_path` attribute on root context. should
    be empty string, but is `"/"`
  + 5064 NotSerializableException for OpenIdConfiguration
- + 5069 HttpClientTimeoutTests can occasionally fail due to unreachable network
 
 jetty-9.4.30.v20200611 - 11 June 2020
  + 4776 Incorrect path matching for WebSocket using PathMappings
@@ -470,10 +469,8 @@ jetty-9.4.20.v20190813 - 13 August 2019
  + 3648 javax.websocket client container incorrectly creates Server
    SslContextFactory
  + 3698 Missing WebSocket ServerContainer after server restart
- + 3700 stackoverflow in WebAppClassLoaderUrlStreamTest
  + 3708 Swap various java.lang.String replace() methods for better performant
    ones
- + 3731 Add testing of CDI behaviors
  + 3736 NPE from WebAppClassLoader during CDI
  + 3746 ClassCastException in WriteFlusher.java - IdleState cannot be cast to
    FailedState
@@ -675,7 +672,6 @@ jetty-9.2.27.v20190403 - 03 April 2019
 
 jetty-9.4.14.v20181114 - 14 November 2018
  + 3097 Duplicated programmatic Servlet Listeners causing duplicate calls
- + 3103 HttpClientLoadTest reports a leak in byte buffer
  + 3104 Align jetty-schemas version within apache-jsp module as well
 
 jetty-9.4.13.v20181111 - 11 November 2018
@@ -739,8 +735,6 @@ jetty-9.4.12.v20180830 - 30 August 2018
    Runtimes
  + 2075 Deprecating MultiException
  + 2135 Android 8.1 needs direct buffers for SSL/TLS to work
- + 2233 JDK9 Test failure:
-   org.eclipse.jetty.server.ThreadStarvationTest.testWriteStarvation[https/ssl/tls]
  + 2342 File Descriptor Leak: Conscrypt: "Too many open files"
  + 2349 HTTP/2 max streams enforcement
  + 2398 MultiPartFormInputStream parsing should default to UTF-8, but allowed
@@ -750,9 +744,6 @@ jetty-9.4.12.v20180830 - 30 August 2018
  + 2530 Client waits forever for cancelled large uploads
  + 2560 Review PathResource exception handling
  + 2565 HashLoginService silently ignores file:/ config paths from 9.3.x
- + 2592 Failing test on Windows:
-   ServerTimeoutsTest.testAsyncWriteIdleTimeoutFires[transport: HTTP]
- + 2597 Failing tests on windows UnixSocketTest
  + 2631 IllegalArgumentException: Buffering capacity exceeded, from HttpClient
    HEAD Requests to resources referencing large body contents
  + 2648 LdapLoginModule fails with forceBinding=true under Java 9
@@ -814,7 +805,6 @@ jetty-9.4.12.v20180830 - 30 August 2018
    hot redeploy on Windows
  + 2836 Sequential HTTPS requests may not reuse the same connection
  + 2844 Clean up webdefault.xml and DefaultServlet doc
- + 2846 add unit test for ldap module
  + 2847 Wrap Connection.Listener invocations in try/catch
  + 2860 Leakage of HttpDestinations in HttpClient
  + 2871 Server reads -1 after client resets HTTP/2 stream
@@ -1173,7 +1163,6 @@ jetty-9.4.7.v20170914 - 14 September 2017
  + 1759 HTTP/2: producer can block in onReset
  + 1766 JettyClientContainerProvider does not actually use common objects
    correctly
- + 1789 PropertyUserStoreTest failures in Windows
  + 1790 HTTP/2: 100% CPU usage seen during close/shutdown of endpoint
  + 1792 Accept ISO-8859-1 characters in response reason
  + 1794 Config properties typos in session-store-cache.mod
@@ -1186,8 +1175,6 @@ jetty-9.4.7.v20170914 - 14 September 2017
  + 1809 NPE: StandardDescriptorProcessor.visitSecurityConstraint() with null/no
    security manager
  + 1814 Move JavaVersion to jetty-util for future Java 9 support requirements
- + 1816 HttpClientTest.testClientCannotValidateServerCertificate() hangs with
-   JDK 9
  + 475546 ClosedChannelException when connection to HTTPS over HTTP proxy with
    CONNECT
 
@@ -1409,11 +1396,8 @@ jetty-9.4.3.v20170317 - 17 March 2017
 jetty-9.3.17.v20170317 - 17 March 2017
  + 329 Javadoc for HttpTester and ServletTester needs to reference limited HTTP
    version scope
- + 609 websocket ClientCloseTest testServerNoCloseHandshake is failing
  + 1015 Ensure jetty-distribution excludes git / temp files
  + 1047 ReadPendingException and then thread death
- + 1049 test-jetty-osgi test exits/crashes the surefire forked JVM
- + 1282 ByteArrayEndPointTest.testIdle() failure
  + 1296 Introduce HTTP parser "content complete" event
  + 1326 Jetty shutdown command got NullPointerException (http2 module added to
    start)
@@ -1433,7 +1417,6 @@ jetty-9.3.17.v20170317 - 17 March 2017
  + 1390 HashLoginService and "this.web-inf.url" property are incompatible
  + 1394 Default OS Locale/Encoding/Charset can cause test failures
  + 1396 Set-Cookie produced by Jetty is invalid for RFC6265 and Chrome
- + 1399 SlowClientTest is failing on CI
  + 1401 HttpOutput.recycle() does not clear the write listener
 
 jetty-9.4.2.v20170220 - 20 February 2017
@@ -1537,9 +1520,6 @@ jetty-9.3.16.v20170120 - 20 January 2017
  + 1229 ClassLoader constraint issue when using NativeWebSocketConfiguration
    with WEB-INF/lib/jetty-http.jar present
  + 1234 onBadMessage called from with handled message
- + 1259 HostnameVerificationTest.simpleGetWithHostnameVerificationEnabledTest
-   is broken
- + 1261 Intermittent H2C test failure AsyncIOServletTest.testAsyncReadEarlyEOF
  + 1262 BufferUtil.isMappedBuffer() uses reflection on private JDK fields
  + 1265 JAXB not available in JDK 9
  + 1267 Request.getRemoteUser can throw undeclared IllegalStateException via
@@ -1553,7 +1533,6 @@ jetty-9.3.16.v20170120 - 20 January 2017
  + 1275 Get rid of Mockito
  + 1276 Remove org.eclipse.jetty.websocket.server.WebSocketServerFactory from
    SPI
- + 1277 http2 alpn test error
 
 jetty-9.2.21.v20170120 - 20 January 2017
  + 592 Support no-value Host header in HttpParser
@@ -1589,7 +1568,6 @@ jetty-9.3.15.v20161220 - 20 December 2016
  + 1099 PushCacheFilter pushes POST requests
  + 1108 Please improve logging in SslContextFactory when there are no approved
    cipher suites
- + 1114 Add testcase for WSUF for stop/start of the Server
  + 1118 Filter.destroy() conflicts with ContainerLifeCycle.destroy() in
    WebSocketUpgradeFilter
  + 1123 Broken lifecycle for WebSocket's mappings