Update Version.txt with CVEs (#6014)

Adds CVEs to Version.txt

VERSION.txt

@@ -67,7 +67,7 @@ jetty-10.0.0 - 02 December 2020
  + 5555 NPE for servlet with no mapping
  + 5562 ArrayTernaryTrie consumes too much memory
  + 5575 Add SEARCH as a known HttpMethod
- + 5605 java.io.IOException: unconsumed input during http request parsing
+ + 5605 java.io.IOException: unconsumed input during http request parsing - Resolves CVE-2020-27218
  + 5633 Allow to configure HttpClient request authority
  + 5679 Distro argument --list-all-modules does not work
  + 5680 No way to see which modules are enabled for the distro
@@ -91,7 +91,7 @@ jetty-10.0.0.beta3 - 21 October 2020
  + 5443 Request without Host header fails with NullPointerException in
    ForwardedRequestCustomizer
  + 5448 Request.isSecure() returns false for `https` schemes in Jetty 10
- + 5451 Improve Working Directory creation
+ + 5451 Improve Working Directory creation - Resolves CVE-2020-27216
  + 5454 Request error context is not reset
  + 5475 Update to spifly 1.3.2 and asm 9
  + 5480 NPE from WebInfConfiguration.deconfigure during WebAppContext shutdown
@@ -136,8 +136,8 @@ jetty-9.4.35.v20201120 - 20 November 2020
  + 5539 StatisticsServlet output is not valid
  + 5562 ArrayTernaryTrie consumes too much memory
  + 5575 Add SEARCH as a known HttpMethod
- + 5605 CVE-2020-27218 java.io.IOException: unconsumed input during http
-   request parsing
+ + 5605 java.io.IOException: unconsumed input during http
+   request parsing - Resolves CVE-2020-27218
  + 5633 Allow to configure HttpClient request authority
 
 jetty-9.4.34.v20201102 - 02 November 2020
@@ -161,7 +161,7 @@ jetty-9.4.33.v20201020 - 20 October 2020
    produced by ForwardedHeader
  + 5443 Request without Host header fails with NullPointerException in
    ForwardedRequestCustomizer
- + 5451 Improve Working Directory creation
+ + 5451 Improve Working Directory creation - Resolves CVE-2020-27216
  + 5454 Request error context is not reset
  + 5475 Update to spifly 1.3.2 and asm 9
  + 5480 NPE from WebInfConfiguration.deconfigure during WebAppContext shutdown
@@ -394,7 +394,7 @@ jetty-9.4.30.v20200611 - 11 June 2020
  + 4923 SecureRequestCustomizer.SslAttributes does not cache cert chain like
    before
  + 4929 HttpClient: HttpCookieStore.Empty prevents sending cookies
- + 4936 Response header overflow leads to buffer corruptions
+ + 4936 Response header overflow leads to buffer corruptions - Resolves CVE-2019-17638
 
 jetty-9.4.29.v20200521 - 21 May 2020
  + 2188 Lock contention creating HTTP/2 streams
@@ -531,7 +531,7 @@ jetty-9.4.24.v20191120 - 20 November 2019
  + 3083 The ini-template for jetty.console-capture.dir does not match the
    default value
  + 4128 OpenIdCredetials can't decode JWT ID token
- + 4334 Better test ErrorHandler changes
+ + 4334 Better test ErrorHandler changes - Resolves CVE-2019-17632
 
 jetty-9.4.23.v20191118 - 18 November 2019
  + 1485 Add systemd service file
@@ -621,6 +621,7 @@ jetty-9.4.22.v20191022 - 22 October 2019
    inclusion of sessionid
 
 jetty-9.4.21.v20190926 - 26 September 2019
+ + Includes fixes for CVE-2019-9511, CVE-2019-9512, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, and CVE-2019-9518
  + 97 Permanent UnavailableException thrown during servlet request handling
    should cause servlet destroy
  + 137 Support OAuth
@@ -766,16 +767,16 @@ jetty-9.4.18.v20190429 - 29 April 2019
 jetty-9.4.17.v20190418 - 18 April 2019
  + 2140 Infinispan and hazelcast changes to scavenge zombie expired sessions
  + 3464 Split SslContextFactory into Client and Server
- + 3549 Directory Listing on Windows reveals Resource Base path
- + 3555 DefaultHandler Reveals Base Resource Path of each Context
+ + 3549 Directory Listing on Windows reveals Resource Base path - Resolves CVE-2019-10246
+ + 3555 DefaultHandler Reveals Base Resource Path of each Context - Resolves CVE-2019-10247
 
 jetty-9.4.16.v20190411 - 11 April 2019
  + 1861 Limit total bytes pooled by ByteBufferPools
  + 3133 Logging of `key.readyOps()` can throw unchecked `CancelledKeyException`
  + 3159 WebSocket permessage-deflate RSV1 validity check
  + 3274 OSGi versions of java.base classes in
    org.apache.felix:org.osgi.foundation:jar conflicts with new rules on Java 9+
- + 3319 Modernize Directory Listing: HTML5 and Sorting
+ + 3319 Modernize Directory Listing: HTML5 and Sorting - Resolves CVE-2019-10241
  + 3361 HandlerCollection.addHandler is lacking synchronization
  + 3373 OutOfMemoryError: Java heap space in GZIPContentDecoder
  + 3389 Websockets jsr356 willDecode not invoked during decoding
@@ -848,26 +849,26 @@ jetty-9.3.28.v20191105 - 05 November 2019
  + 4217 SslConnection.DecryptedEnpoint.flush eternal busy loop
 
 jetty-9.3.27.v20190418 - 18 April 2019
- + 3549 Directory Listing on Windows reveals Resource Base path
- + 3555 DefaultHandler Reveals Base Resource Path of each Context
+ + 3549 Directory Listing on Windows reveals Resource Base path - Resolves CVE-2019-10246
+ + 3555 DefaultHandler Reveals Base Resource Path of each Context - Resolves CVE-2019-10247
 
 jetty-9.3.26.v20190403 - 03 April 2019
  + 2954 Improve cause reporting for HttpClient failures
  + 3274 OSGi versions of java.base classes in
    org.apache.felix:org.osgi.foundation:jar conflicts with new rules on Java 9+
  + 3302 Support host:port in X-Forwarded-For header in
    ForwardedRequestCustomizer
- + 3319 Allow reverse sort for directory listed files
+ + 3319 Allow reverse sort for directory listed files - Resolves CVE-2019-10241
 
 jetty-9.2.29.v20191105 - 05 November 2019
  + 4217 SslConnection.DecryptedEnpoint.flush eternal busy loop
 
 jetty-9.2.28.v20190418 - 18 April 2019
- + 3549 Directory Listing on Windows reveals Resource Base path
- + 3555 DefaultHandler Reveals Base Resource Path of each Context
+ + 3549 Directory Listing on Windows reveals Resource Base path - Resolves CVE-2019-10246
+ + 3555 DefaultHandler Reveals Base Resource Path of each Context - Resolves CVE-2019-10247
 
 jetty-9.2.27.v20190403 - 03 April 2019
- + 3319 Refactored Directory Listing to modernize and avoid XSS
+ + 3319 Refactored Directory Listing to modernize and avoid XSS - Resolves CVE-2019-10241
 
 jetty-9.4.14.v20181114 - 14 November 2018
  + 3097 Duplicated programmatic Servlet Listeners causing duplicate calls