The Jetty team is announcing the immediate availability of new releases for the Eclipse Jetty 9.4.x, 10.0.x, 11.0.x, and 12.0.x branches.
These releases include a number of bug fixes and improvements, along with addressing 2 HTTP/2 advisories.
Note: The Jetty 9.4.53 release was sponsored by a commercial support contract with
webtide.comSee the github release pages for changelog.
*
https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.53.v20231009 *
https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.17 *
https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.17 *
https://github.com/eclipse/jetty.project/releases/tag/jetty-12.0.2The Security Advisories being published today are:
HTTP/2 DDoS Vector CVE: CVE-2023-44487 - (Industry / Spec level CVE, not Jetty specific)
Severity: High (7.5)
Impacted Versions:
org.eclipse.jetty.http2:http2-common >= 9.3.0, <= 9.4.52
org.eclipse.jetty.http2:http2-common >= 10.0.0, <= 10.0.16
org.eclipse.jetty.http2:http2-common >= 11.0.0, <= 11.0.16
org.eclipse.jetty.http2:http2-server >= 9.3.0, <= 9.4.52
org.eclipse.jetty.http2:http2-server >= 10.0.0, <= 10.0.16
org.eclipse.jetty.http2:http2-server >= 11.0.0, <= 11.0.16
org.eclipse.jetty.http2:jetty-http2-common >= 12.0.0, <= 12.0.1
org.eclipse.jetty.http2:jetty-http2-server >= 12.0.0, <= 12.0.1
Fixed Versions:
9.4.53
10.0.17
11.0.17
12.0.2
HTTP/2 HPACK integer overflow and buffer allocation CVE: CVE-2023-36478
Advisory:
https://github.com/advisories/GHSA-wgh7-54f2-x98r Severity: High (7.5) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness:
CWE-190 - Integer Overflow or Wraparound
CWE-400 - Uncontrolled Resource Consumption
Impacted Versions:
org.eclipse.jetty:jetty-http >= 9.3.0, <= 9.4.52
org.eclipse.jetty:jetty-http >= 10.0.0, <= 10.0.15
org.eclipse.jetty:jetty-http >= 11.0.0, <= 11.0.15
org.eclipse.jetty.http2:http2-hpack >= 9.3.0, <= 9.4.52
org.eclipse.jetty.http2:http2-hpack >= 10.0.0, <= 10.0.15
org.eclipse.jetty.http2:http2-hpack >= 11.0.0, <= 11.0.15
org.eclipse.jetty.http3:http3-qpack >= 10.0.0, <= 10.0.15
org.eclipse.jetty.http3:http3-qpack >= 11.0.0, <= 11.0.15
Fixed Versions:
9.4.53
10.0.16
11.0.16
Unaffected Versions:
12.0.x
These releases are available on the Eclipse Jetty project download page or from the Maven Central repository:
* Eclipse:
https://eclipse.dev/jetty/download.php * Maven Central:
https://repo1.maven.org/maven2/org/eclipse/jetty/ Documentation for these releases can be found on the Eclipse Jetty project site:
*
https://eclipse.dev/jetty/documentation.phpIf you find any issues with these releases, or if you want to suggest future enhancements, please file an issue on the Jetty GitHub page:
*
https://github.com/eclipse/jetty.project/issues/newCommercial production and development support for Jetty is offered through Webtide (
webtide.com).
Please contact us for more information or email
jesse@xxxxxxxxxxx to discuss your specific needs.
Best Regards,
The Jetty Development Team