9.4.54.v20240208

Security Updates

This release addresses:

• CVE-2024-22201 - HTTP/2 connection not closed after idle timeout when TCP congested

Sponsored Release

This is a release of the End of Community Support Jetty 9.x series that was sponsored by a support contract from Webtide.com

Changelog

• #1256 DoSFilter leaks USER_AUTH entries
• #11259 HTTP/2 connection not closed after idle timeout when TCP congested
• #11389 Strip default ports on ws/wss scheme uris too

12.0.6

Security Updates

This release addresses:

• CVE-2024-22201 - HTTP/2 connection not closed after idle timeout when TCP congested

Special Thanks to the following Eclipse Jetty community members

• @LoggingResearch (LoggingResearch)

Changelog

• #11329 - Jetty 11->12 migration guide has incorrect new artifact names
• #11317 - Cleanup usages of addBean(Object) from constructors
• #11312 - baseResource/resourceBase is no longer extracted from ServletContext
• #11309 - ensure callback is always completed in WebSocketCoreSession
• #11303 - JettyWebSocketFrameHandler incorrectly relies on autoDemand when handlers are not registered
• #11299 - EE8/9 DefaultServlet.doPost() doesn't behave like Jetty 10/11
• #11296 - AbstractLoginModule porting issue
• #11290 - HTTP 400 and NPE in HttpParser for blank header value in Jetty 12.x
• #11288 - Fixes for Spring core integration
• #11282 - Deadlocks with DEBUG logging enabled in jetty-server testing
• #11281 - Failed LOG.debug() with MultiPart
• #11280 - EE10 OSGi Boot invalid jetty.xml Handler configuration
• #11275 - Jakarta websocket @OnMessage with Reader parameter stops working when there is an unhandled exception
• #11262 - Correct some javadoc typos
• #11259 - HTTP/2 connection not closed after idle timeout when TCP congested
• #11253 - Jetty 12 ComplianceViolation.Listener not notified for URI, Cookie, and Multipart violations.
• #11230 - Problem with parsing of form parameters without values in Jetty 12?
• #11228 - Reorganized and refactored JettyHomeTester to introduce JPMSTester.
• #11220 - ContextHandler(anyHandler) NPE during . logging 'because "this._vhosts" is null'
• #11098 - Sporadic NPE in ArrayByteBufferPool.evict()
• #11096 - IllegalAccessException when invoking WebSocket end point methods in Jetty 12
• #11095 - throws IllegalStateException for completed requests when Gzip Handler is used
• #11081 - Dropped WebSocket messages due to race condition in WebSocket frame handling
• #11080 - Google Cloud: during Multipart - java.lang.IllegalArgumentException: Cannot create chunk from non-retainable ContentChunk
• #10220 - Implement CrossOriginHandler

11.0.20

Security Updates

This release addresses:

• CVE-2024-22201 - HTTP/2 connection not closed after idle timeout when TCP congested

Special Thanks to the following Eclipse Jetty community members

• @LoggingResearch (LoggingResearch)

Changelog

• #11273 - Support BSD expr in startup script
• #11260 - QuickStartConfiguration cannot be mixed with contexts that do not have a WEB-INF/quickstart-web.xml
• #11081 - Dropped WebSocket messages due to race condition in WebSocket frame handling
• #10127 - Align Logging Level for Listener Timeout Exceptions with Debug (@LoggingResearch)

10.0.20

Security Updates

This release addresses:

• CVE-2024-22201 - HTTP/2 connection not closed after idle timeout when TCP congested

Special Thanks to the following Eclipse Jetty community members

• @LoggingResearch (LoggingResearch)

Changelog

• #11273 - Support BSD expr in startup script
• #11260 - QuickStartConfiguration cannot be mixed with contexts that do not have a WEB-INF/quickstart-web.xml
• #11081 - Dropped WebSocket messages due to race condition in WebSocket frame handling
• #10127 - Align Logging Level for Listener Timeout Exceptions with Debug (@LoggingResearch)

12.0.5

Changelog

• #11051 - Do not use HttpStream.Wrapper in SizeLimitHandler
• #11040 - "not an allowed scheme" for GraalVM Native-Image resource:-URIs
• #11037 - Serialize HttpClient request failures
• #11036 - Improve the dump output of ConcurrentPool
• #11032 - add deployment exception for non Jakarta WebSocket endpoints used in ServerEndpointConfig
• #11030 - Refactor eeX plus.security and plus.annotation classes to core
• #11027 - Cleanup Module + XML properties usage
• #11021 - Do not call afterResponse() in case of failures
• #11016 - IllegalStateException when stopping Server with pending requests
• #11014 - RedirectRegexRule and RewritePatternRule should consider relativeRedirectAllowed
• #10956 - Simplify Expect: 100-Continue handling
• #10933 - Review ServletChannelState.asyncError()
• #10897 - Refactor JNDI across environments for common JNDI components that can be in core
• #10852 - Add ResourceHandler.setUseFileMapping(boolean) option
• #10277 - Review read failures impacting writes

11.0.19

Special Thanks to the following Eclipse Jetty community members

• @garydgregory (Gary Gregory)
• @chadlwilson (Chad Wilson)

Changelog

• #11039 - Memory leak and multiple (Http|Servlet)*Listener invokations after restart
• #11031 - HttpClient should expose Connection/EndPoint used by HTTP requests
• #11014 - RedirectRegexRule and RewritePatternRule should consider relativeRedirectAllowed
• #10938 - Use String#isEmpty() (@garydgregory)
• #10876 - use correct scm coordinates
• #10812 - jetty-deploy has unnecessary dependency on awaitility/hamcrest pulled in at runtime (@chadlwilson)

10.0.19

Special Thanks to the following Eclipse Jetty community members

• @garydgregory (Gary Gregory)
• @chadlwilson (Chad Wilson)

Changelog

• #11039 - Memory leak and multiple (Http|Servlet)*Listener invokations after restart
• #11031 - HttpClient should expose Connection/EndPoint used by HTTP requests
• #11014 - RedirectRegexRule and RewritePatternRule should consider relativeRedirectAllowed
• #10938 - Use String#isEmpty() (@garydgregory)
• #10876 - use correct scm coordinates
• #10812 - jetty-deploy has unnecessary dependency on awaitility/hamcrest pulled in at runtime (@chadlwilson)

12.0.4

Special Thanks to the following Eclipse Jetty community members

• @hantsy (Hantsy Bai)
• @chadlwilson (Chad Wilson)

Changelog

• #10926 - AttributeNormalizer does not support combined resources
• #10925 - Jetty 12 documentation: references to jetty-maven-plugin
• #10922 - Fix NPE on null host when checking virtual host
• #10919 - EE10 multipart parsing may include '\r' at the front under certain conditions
• #10911 - Accurate implementation of H3 Request.beginNanoTime()
• #10902 - do not add duplicate jars to MetaData containerResources
• #10889 - Improve Resource use in MetaInfConfiguration
• #10888 - Fix leaked resources in jetty maven plugin
• #10886 - Don't track mounts for newResource() that do not exist
• #10879 - Improve redirect handling with reproducible content
• #10877 - Configure sbom plugin to produce sbom for jetty-home and include it in the distribution
• #10868 - reinstate HttpChannel reuse in H2
• #10867 - Immutable local/remote SocketAddress within a ConnectionMetaData
• #10866 - Recycle ServletChannel at ServletContextHandler completion.
• #10829 - Expired Session timing issue leads to Warning: "Invalidating session {} found to be expired when requested"
• #10812 - jetty-deploy has unnecessary dependency on awaitility/hamcrest pulled in at runtime (@chadlwilson)
• #10810 - Update jetty-maven-plugin Documentation for new environment layer (@hantsy)
• #10802 - Stabilize secondary_super_cache in server code
• #10801 - Recycle ServletChannel in ServletContextHandler
• #10797 - Multiple identical Set-Cookie response lines produced
• #10792 - Various cleanups of Handler.insertHandler
• #10787 - Weak reference concurrent pool
• #10775 - Review ConnectionMetaData.isSecure()
• #10768 - WebSocketUpgradeHandler should not require ContextHandler
• #10749 - WebSocketClient should expose upgrade request/response
• #10687 - Jetty WebSocket remembers mappings on restart
• #10484 - Clarify documentation about how to make a non-blocking handler tree
• #10384 - ServletChannel now using proper state changes for calls to ErrorHandler to avoid IllegalStateExceptions

12.0.3

Changelog

• #10794 - 301 Moved Permanently produces query with ; instead of ?
• #10779 - Upgrade to xhtml-schemas 1.3 which add one more entity systemid
• #10771 - EE10 ServletRequest.isSecure() not set by ForwardedRequestCustomizer
• #10762 - Better handling of Objects in JMX MetaData
• #10760 - Fix Overlay of Combined Resources
• #10759 - Fix HTTP/3 Client handling of MAX_FIELD_SECTION_SIZE setting
• #10747 - Add ability to compress and skip unserializable session attributes
• #10734 - jakarta.websocket.Session.getRequestParameterMap() contains the value as key
• #10731 - org.eclipse.jetty.server.Request uses wrong context attribute name javax.servlet instead of jakarta.servlet
• #10727 - Fix EE10 removeAttributes
• #10726 - NPE in ResponseListeners content notification
• #10716 - Incorrect setting of content type with charset encoding before and after PrintWriter obtained
• #10703 - Fix race condition in ArrayByteBufferPool.clear()
• #10699 - Jetty HTTP SPI redirects SOAP POST requests to GET requests if URL does not end with /
• #10688 - Introduce Jetty 12 ee8 osgi layer
• #10685 - fix infinite recursion in server dump with Path
• #10661 - Ensure jetty api servlets/filters take precedence over webdefault.xml declarations.
• #10656 - EE10 ServletRequest.getProtocolRequestId() impl not spec compliant when protocol is H1
• #10651 - MutableHttpFields.asImmutable avoids copy
• #10612 - Fix surefire display name in surefire report and restore TestTrackerExtension in output"
• #10582 - NPE when including a directory that should be resolved with servlet-mapped welcome file
• #10578 - Jetty 12.0.x use automatic formatter for poms to have same style for every poms
• #10555 - Re-introduce a more complete set of stats in StatisticsHandler
• #10477 - Jetty 12: Review MBeans for Handlers

11.0.18

Special Thanks to the following Eclipse Jetty community members

• @OlexYarm (OlexYarm)

Changelog

• #10786 - TLS handshake failures leak HttpConnection.RequestTimeouts tasks
• #10755 - deprecate PushCacheFilter
• #10753 - Improve and test jetty.sh behaviors
• #10731 - org.eclipse.jetty.server.Request uses wrong context attribute name javax.servlet instead of jakarta.servlet
• #10675 - Fixed issue 10305 Embedded Jetty server fails to start when requests path contains not existed directory (@OlexYarm)
• #10667 - Add configuration to allow deferring the initial Deployment until after Server is started
• #10390 - Jetty HTTP/3 Client fails when connecting to nghttpx server
• #1256 - DoSFilter leaks USER_AUTH entries