You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kafka.apache.org by ma...@apache.org on 2021/03/03 04:50:57 UTC
[kafka] branch 2.6 updated: KAFKA-12400: Upgrade jetty to fix
CVE-2020-27223
This is an automated email from the ASF dual-hosted git repository.
manikumar pushed a commit to branch 2.6
in repository https://gitbox.apache.org/repos/asf/kafka.git
The following commit(s) were added to refs/heads/2.6 by this push:
new 8d25864 KAFKA-12400: Upgrade jetty to fix CVE-2020-27223
8d25864 is described below
commit 8d258649a8fd32734ce19b9966cfebb2e0a0d6ee
Author: Lee Dongjin <do...@apache.org>
AuthorDate: Wed Mar 3 10:13:40 2021 +0530
KAFKA-12400: Upgrade jetty to fix CVE-2020-27223
Here is the fix. The reason of [CVE-2020-27223](https://nvd.nist.gov/vuln/detail/CVE-2020-27223) was DOS vulnerability for Quoted Quality CSV headers and [patched in 9.4.37.v20210219](https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7).
This PR updates Jetty dependency into the following version, 9.4.38.v20210224.
Author: Lee Dongjin <do...@apache.org>
Reviewers: Manikumar Reddy <ma...@gmail.com>
Closes #10245 from dongjinleekr/feature/KAFKA-12400
(cherry picked from commit b77deece1db3fca5575e336e157677f83bf3b506)
Signed-off-by: Manikumar Reddy <ma...@gmail.com>
---
gradle/dependencies.gradle | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index 90daf55..08270a8 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -69,7 +69,7 @@ versions += [
jackson: "2.10.5",
jacksonDatabind: "2.10.5.1",
jacoco: "0.8.5",
- jetty: "9.4.36.v20210114",
+ jetty: "9.4.38.v20210224",
jersey: "2.31",
jmh: "1.23",
hamcrest: "2.2",