diff --git a/VERSION.txt b/VERSION.txt index 2e5487a4dd54..912238236a73 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -211,114 +211,6 @@ jetty-10.0.0.beta3 - 21 October 2020 + 5475 Update to spifly 1.3.2 and asm 9 + 5480 NPE from WebInfConfiguration.deconfigure during WebAppContext shutdown -jetty-9.4.41.v20210516 - 16 May 2021 - + 6099 Cipher preference may break SNI if certificates have different key - types - + 6186 Add Null Protection on Log / Logger - + 6205 OpenIdAuthenticator may use incorrect redirect - + 6208 HTTP/2 max local stream count exceeded - + 6227 Better resolve race between `AsyncListener.onTimeout` and - `AsyncContext.dispatch` - + 6254 Total timeout not enforced for queued requests - + 6263 Review URI encoding in ConcatServlet & WelcomeFilter - + 6277 Better handle exceptions thrown from session destroy listener - + 6280 Copy ServletHolder class/instance properly during startWebapp - -jetty-9.4.39.v20210325 - 25 March 2021 - + 6034 SslContextFactory may select a wildcard certificate during SNI - selection when a more specific SSL certificate is present - + 6050 Websocket: NotUtf8Exception after upgrade to 9.4.36 or newer - + 6052 Cleanup TypeUtil and ModuleLocation to allow jetty-client/hybrid to - work on Android - + 6063 Allow override of hazelcast version when using module - + 6072 jetty server high CPU when client send data length > 17408 - Resolves - CVE-2021-28165 - + 6085 Jetty keeps Sessions in use after "Duplicate valid session cookies" - Message - + 6101 Normalize ambiguous URIs - Resolves CVE-2021-28164 - + 6102 Exclude webapps directory from deployment scan - Resolves - CVE-2021-28163 - -jetty-9.4.38.v20210224 - 24 February 2021 - + 4275 Path Normalization/Traversal - Context Matching - + 5963 Improve QuotedQualityCSV for CVE-2020-27223 - + 5977 Cache-Control header set by a filter is override by the value from - DefaultServlet configuration - + 5994 QueuedThreadPool "free" threads - + 5999 HttpURI ArrayIndexOutOfBounds - + 6001 Ambiguous URI legacy compliance mode - -jetty-9.4.37.v20210219 - 19 February 2021 - + 4275 Path Normalization/Traversal - Context Matching - + 5492 Add ability to manage start modules by java feature - + 5605 Blocked IO Thread not woken - + 5787 Make ManagedSelector report better JMX data - + 5851 org.eclipse.jetty.websocket.servlet.WebSocketServlet cleanup - + 5859 Classloader leaks from ShutdownThread and QueuedThreadPool - + 5909 Cannot disable HTTP OPTIONS Method - + 5937 Unnecessary blocking in ResourceService - + 5950 Deadlock due to logging inside classloaders - + 5963 Improve QuotedQualityCSV - Resolves CVE-2020-27223 - + 5973 Proxy client TLS authentication example - + 5977 Cache-Control header set by a filter is override by the value from - DefaultServlet configuration - + 5979 Configurable gzip Etag extension - -jetty-9.4.36.v20210114 - 14 January 2021 - + 5310 Jetty Http2 client discards the response frames when there is GOAWAY - and sends RST_STREAM - + 5499 Improve temporary buffer usage for WebSocket PerMessageDeflate - + 5633 Allow to configure HttpClient request authority - + 5689 Jetty ssl keystorePath doesn't work with absolute path - + 5755 Cannot configure maxDynamicTableSize on HTTP2Client - + 5783 Fix ConnectionStatistics.*Rate() methods - + 5785 Reduce log level for WebSocket connections closed by clients - + 5794 ServerConnector leaks closed sockets which can lead to file descriptor - exhaustion - + 5824 Build up of ConstraintMappings when stopping and starting WebAppContext - + 5830 Jetty-util contains wrong Import-Package - + 5844 download flag to jetty-start causes NullPointerException - + 5845 Use UTF-8 encoding for client basic auth if requested - + 5855 HttpClient may not send queued requests - + 5870 jetty-maven-plugin fails to run ServletContainerInitializer on Windows - due to URI case comparison bug - -jetty-9.4.35.v20201120 - 20 November 2020 - + 4711 Reset trailers on recycled response - + 5486 PropertyFileLoginModule retains PropertyUserStores - + 5539 StatisticsServlet output is not valid - + 5562 ArrayTernaryTrie consumes too much memory - + 5575 Add SEARCH as a known HttpMethod - + 5605 java.io.IOException: unconsumed input during http request parsing - - Resolves CVE-2020-27218 - + 5633 Allow to configure HttpClient request authority - -jetty-9.4.34.v20201102 - 02 November 2020 - + 5320 Using WebSocketClient with jetty-websocket-httpclient.xml in a Jetty - web application causes ClassCastException - + 5488 jetty-dir.css not found when using JPMS - + 5498 ServletHolder lifecycle correctness - + 5521 ResourceCollection NPE in list() - + 5535 Support regex in SslContextFactory include/exclude of protocols - + 5555 NPE for servlet with no mapping - -jetty-9.4.33.v20201020 - 20 October 2020 - + 5022 Cleanup ServletHandler, specifically with respect to making filter - chains more extensible - + 5368 WebSocket text event execute in same thread as running binary event and - destroy Threadlocal - + 5378 Filter/Servlet/Listener Holders are not started if added during - STARTING state. - + 5409 HttpClient fails intermittently with "Invalid response state TRANSIENT" - + 5417 Badly configured HttpConfiguration.securePort can lead to wrong port - produced by ForwardedHeader - + 5443 Request without Host header fails with NullPointerException in - ForwardedRequestCustomizer - + 5451 Improve Working Directory creation - Resolves CVE-2020-27216 - + 5454 Request error context is not reset - + 5475 Update to spifly 1.3.2 and asm 9 - + 5480 NPE from WebInfConfiguration.deconfigure during WebAppContext shutdown - jetty-10.0.0.beta2 - 02 October 2020 + 1337 MultiPart Part.write(String fileName) - Write method used unexpected path @@ -453,6 +345,140 @@ jetty-10.0.0.beta1 - 10 July 2020 + 5000 NPE from Server.dump of FilterMapping + 5018 WebSocketClient upgrade request timeout not configurable +jetty-9.4.43.v20210629 - 30 June 2021 + + 6379 Reduce contention in all `ByteBufferPool` implementations + + 6382 HttpClient TimeoutException message reports transient values + + 6400 QueuedThreadPool interrupts pool threads when stopped with zero timeout + + 6425 Update to asm 9.1 + + 6447 Deprecate support for UTF16 encoding in URIs + + 6470 java.nio.ReadOnlyBufferException + + 6473 Improve alias checking in PathResource + +jetty-9.4.42.v20210604 - 04 June 2021 + + 5379 Better handling for wrong SNI + + 5931 SslConnection should implement getBytesIn()/getBytesOut() + + 6118 Display a warning when Hazelcast configuration does not contain Jetty + session serializer + + 6276 Support non-standard domains in SNI and X509 + + 6287 Class loading broken for WebSocketClient used inside webapp + + 6323 HttpClient gets stuck/never calls onComplete() when multiple requests + with timeouts are sent + +jetty-9.4.41.v20210516 - 16 May 2021 + + 6099 Cipher preference may break SNI if certificates have different key + types + + 6186 Add Null Protection on Log / Logger + + 6205 OpenIdAuthenticator may use incorrect redirect + + 6208 HTTP/2 max local stream count exceeded + + 6227 Better resolve race between `AsyncListener.onTimeout` and + `AsyncContext.dispatch` + + 6254 Total timeout not enforced for queued requests + + 6263 Review URI encoding in ConcatServlet & WelcomeFilter (Resolved + CVE-2021-28169) + + 6277 Better handle exceptions thrown from session destroy listener + + 6280 Copy ServletHolder class/instance properly during startWebapp + +jetty-9.4.40.v20210413 - 13 April 2021 + + 6082 SslConnection compacting + + 6105 HttpConnection.getBytesIn() incorrect for requests with chunked content + + 6148 Jetty start.jar always reports jetty.tag.version as `master` + + 6168 Improve handling of unconsumed content + +jetty-9.4.39.v20210325 - 25 March 2021 + + 6034 SslContextFactory may select a wildcard certificate during SNI + selection when a more specific SSL certificate is present + + 6050 Websocket: NotUtf8Exception after upgrade to 9.4.36 or newer + + 6052 Cleanup TypeUtil and ModuleLocation to allow jetty-client/hybrid to + work on Android + + 6063 Allow override of hazelcast version when using module + + 6072 jetty server high CPU when client send data length > 17408 - Resolves + CVE-2021-28165 + + 6085 Jetty keeps Sessions in use after "Duplicate valid session cookies" + Message + + 6101 Normalize ambiguous URIs - Resolves CVE-2021-28164 + + 6102 Exclude webapps directory from deployment scan - Resolves + CVE-2021-28163 + +jetty-9.4.38.v20210224 - 24 February 2021 + + 4275 Path Normalization/Traversal - Context Matching + + 5963 Improve QuotedQualityCSV for CVE-2020-27223 + + 5977 Cache-Control header set by a filter is override by the value from + DefaultServlet configuration + + 5994 QueuedThreadPool "free" threads + + 5999 HttpURI ArrayIndexOutOfBounds + + 6001 Ambiguous URI legacy compliance mode + +jetty-9.4.37.v20210219 - 19 February 2021 + + 4275 Path Normalization/Traversal - Context Matching + + 5492 Add ability to manage start modules by java feature + + 5605 Blocked IO Thread not woken + + 5787 Make ManagedSelector report better JMX data + + 5851 org.eclipse.jetty.websocket.servlet.WebSocketServlet cleanup + + 5859 Classloader leaks from ShutdownThread and QueuedThreadPool + + 5909 Cannot disable HTTP OPTIONS Method + + 5937 Unnecessary blocking in ResourceService + + 5950 Deadlock due to logging inside classloaders + + 5963 Improve QuotedQualityCSV - Resolves CVE-2020-27223 + + 5973 Proxy client TLS authentication example + + 5977 Cache-Control header set by a filter is override by the value from + DefaultServlet configuration + + 5979 Configurable gzip Etag extension + +jetty-9.4.36.v20210114 - 14 January 2021 + + 5310 Jetty Http2 client discards the response frames when there is GOAWAY + and sends RST_STREAM + + 5499 Improve temporary buffer usage for WebSocket PerMessageDeflate + + 5633 Allow to configure HttpClient request authority + + 5689 Jetty ssl keystorePath doesn't work with absolute path + + 5755 Cannot configure maxDynamicTableSize on HTTP2Client + + 5783 Fix ConnectionStatistics.*Rate() methods + + 5785 Reduce log level for WebSocket connections closed by clients + + 5794 ServerConnector leaks closed sockets which can lead to file descriptor + exhaustion + + 5824 Build up of ConstraintMappings when stopping and starting WebAppContext + + 5830 Jetty-util contains wrong Import-Package + + 5844 download flag to jetty-start causes NullPointerException + + 5845 Use UTF-8 encoding for client basic auth if requested + + 5855 HttpClient may not send queued requests + + 5870 jetty-maven-plugin fails to run ServletContainerInitializer on Windows + due to URI case comparison bug + +jetty-9.4.35.v20201120 - 20 November 2020 + + 4711 Reset trailers on recycled response + + 5486 PropertyFileLoginModule retains PropertyUserStores + + 5539 StatisticsServlet output is not valid + + 5562 ArrayTernaryTrie consumes too much memory + + 5575 Add SEARCH as a known HttpMethod + + 5605 java.io.IOException: unconsumed input during http request parsing - + Resolves CVE-2020-27218 + + 5633 Allow to configure HttpClient request authority + +jetty-9.4.34.v20201102 - 02 November 2020 + + 5320 Using WebSocketClient with jetty-websocket-httpclient.xml in a Jetty + web application causes ClassCastException + + 5488 jetty-dir.css not found when using JPMS + + 5498 ServletHolder lifecycle correctness + + 5521 ResourceCollection NPE in list() + + 5535 Support regex in SslContextFactory include/exclude of protocols + + 5555 NPE for servlet with no mapping + +jetty-9.4.33.v20201020 - 20 October 2020 + + 5022 Cleanup ServletHandler, specifically with respect to making filter + chains more extensible + + 5368 WebSocket text event execute in same thread as running binary event and + destroy Threadlocal + + 5378 Filter/Servlet/Listener Holders are not started if added during + STARTING state. + + 5409 HttpClient fails intermittently with "Invalid response state TRANSIENT" + + 5417 Badly configured HttpConfiguration.securePort can lead to wrong port + produced by ForwardedHeader + + 5443 Request without Host header fails with NullPointerException in + ForwardedRequestCustomizer + + 5451 Improve Working Directory creation - Resolves CVE-2020-27216 + + 5454 Request error context is not reset + + 5475 Update to spifly 1.3.2 and asm 9 + + 5480 NPE from WebInfConfiguration.deconfigure during WebAppContext shutdown + jetty-9.4.32.v20200930 - 30 September 2020 + 2796 HTTP/2 max local stream count exceeded when request fails + 3766 Introduce HTTP/2 API to batch frames