RFR: 8145: Upgrade Jetty to version 10.0.17
Alex Macdonald
aptmac at openjdk.org
Wed Nov 8 15:15:16 UTC 2023
On Wed, 8 Nov 2023 05:50:06 GMT, Virag Purnam <vpurnam at openjdk.org> wrote:
> Default jetty with Eclipse 4.29 is 10.0.15. But this version of jetty has some vulnerabilities mentioned below.
>
> Vulnerabilities: ([jetty-project_10.0.15](https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-project/10.0.15))
> [CVE-2023-42503](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42503)
> [CVE-2023-41900](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41900)
> [CVE-2023-40167](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167)
> [CVE-2023-39410](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39410)
> [CVE-2023-36479](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36479)
> [CVE-2023-36478](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36478)
> [CVE-2023-2976](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2976)
> [CVE-2020-8908](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908)
>
> Vulnerabilities have been fixed in 10.0.17. Currently JMC is using 10.0.12.
> So, we should use the jetty 10.0.17.
Looks good to me.
Just curious about the 2022-09 platform. It's still included, but is pretty old at this point. If we're not going to update it, it's probably time to remove it. Or did you want to update the jetty versions for that target as well? (It will also need a spifly version bump)
-------------
PR Review: https://git.openjdk.org/jmc/pull/532#pullrequestreview-1720604288
More information about the jmc-dev
mailing list