You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2023/01/31 16:57:00 UTC

[jira] [Commented] (IMPALA-11855) Upgrade jetty to 9.4.47+ due to CVE-2022-2047, CVE-2022-2048

    [ https://issues.apache.org/jira/browse/IMPALA-11855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17682656#comment-17682656 ] 

ASF subversion and git services commented on IMPALA-11855:
----------------------------------------------------------

Commit 4009ab151c34ffabbc89f81ec895cf9951687a99 in impala's branch refs/heads/master from Michael Smith
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=4009ab151 ]

IMPALA-11855: Upgrade jetty to 9.4.50

Upgrades jetty to 9.4.50 due to CVE-2022-2047, CVE-2022-2048.

Change-Id: Icbc6d3ad40b63986137ea1b5c71b9af61bd9e637
Reviewed-on: http://gerrit.cloudera.org:8080/19436
Reviewed-by: Riza Suminto <ri...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>


> Upgrade jetty to 9.4.47+ due to CVE-2022-2047, CVE-2022-2048
> ------------------------------------------------------------
>
>                 Key: IMPALA-11855
>                 URL: https://issues.apache.org/jira/browse/IMPALA-11855
>             Project: IMPALA
>          Issue Type: Bug
>          Components: Frontend
>    Affects Versions: Impala 4.2.0
>            Reporter: Michael Smith
>            Assignee: Michael Smith
>            Priority: Major
>             Fix For: Impala 4.3.0
>
>
> CVE-2022-2047 - In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
> CVE-2022-2048 - In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org