You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kafka.apache.org by ma...@apache.org on 2021/02/22 17:53:07 UTC
[kafka] branch 2.7 updated: KAFKA-12324: Upgrade jetty to fix
CVE-2020-27218
This is an automated email from the ASF dual-hosted git repository.
manikumar pushed a commit to branch 2.7
in repository https://gitbox.apache.org/repos/asf/kafka.git
The following commit(s) were added to refs/heads/2.7 by this push:
new 3f005e3 KAFKA-12324: Upgrade jetty to fix CVE-2020-27218
3f005e3 is described below
commit 3f005e3880e6b359dc17f03f22edfbc1fa66d614
Author: Lee Dongjin <do...@apache.org>
AuthorDate: Mon Feb 22 23:19:06 2021 +0530
KAFKA-12324: Upgrade jetty to fix CVE-2020-27218
Here is the fix. The reason of [CVE-2020-27218](https://nvd.nist.gov/vuln/detail/CVE-2020-27218) was [Incorrect recycling of `HttpInput`](https://bugs.eclipse.org/bugs/show_bug.cgi?id=568892) and [patched in 9.4.35.v20201120](https://github.com/eclipse/jetty.project/security/advisories/GHSA-86wm-rrjm-8wh8).
This PR updates Jetty dependency into the following version, 9.4.36.v20210114.
Author: Lee Dongjin <do...@apache.org>
Reviewers: Manikumar Reddy <ma...@gmail.com>
Closes #10177 from dongjinleekr/feature/KAFKA-12324
(cherry picked from commit c71ec552d100973cda65da3228ba3f2ab8039221)
Signed-off-by: Manikumar Reddy <ma...@gmail.com>
---
gradle/dependencies.gradle | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index 68a969f..f41397c 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -69,7 +69,7 @@ versions += [
jackson: "2.10.5",
jacksonDatabind: "2.10.5.1",
jacoco: "0.8.5",
- jetty: "9.4.33.v20201020",
+ jetty: "9.4.36.v20210114",
jersey: "2.31",
jmh: "1.23",
hamcrest: "2.2",