RFR: 8145: Upgrade Jetty to version 10.0.17 [v2]
Brice Dutheil
bdutheil at openjdk.org
Thu Nov 9 10:05:23 UTC 2023
On Wed, 8 Nov 2023 18:53:26 GMT, Virag Purnam <vpurnam at openjdk.org> wrote:
>> Default jetty with Eclipse 4.29 is 10.0.15. But this version of jetty has some vulnerabilities mentioned below.
>>
>> Vulnerabilities: ([jetty-project_10.0.15](https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-project/10.0.15))
>> [CVE-2023-42503](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42503)
>> [CVE-2023-41900](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41900)
>> [CVE-2023-40167](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167)
>> [CVE-2023-39410](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39410)
>> [CVE-2023-36479](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36479)
>> [CVE-2023-36478](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36478)
>> [CVE-2023-2976](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2976)
>> [CVE-2020-8908](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908)
>>
>> Vulnerabilities have been fixed in 10.0.17. Currently JMC is using 10.0.12.
>> So, we should use the jetty 10.0.17.
>
> Virag Purnam has updated the pull request incrementally with one additional commit since the last revision:
>
> 8145: Upgrade Jetty to version 10.0.17
LGTM
-------------
Marked as reviewed by bdutheil (Author).
PR Review: https://git.openjdk.org/jmc/pull/532#pullrequestreview-1722167798
More information about the jmc-dev
mailing list