You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ozone.apache.org by GitBox <gi...@apache.org> on 2021/02/25 10:52:42 UTC

[GitHub] [ozone] elek opened a new pull request #1964: Bump jetty version

elek opened a new pull request #1964:
URL: https://github.com/apache/ozone/pull/1964


   ## What changes were proposed in this pull request?
   
   > org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.
   > 
   > Affected versions of this package are vulnerable to HTTP Request Smuggling. If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.
   
   See: https://app.snyk.io/org/elek/project/73e69ab2-cc42-47f1-965b-2a8ba3daaeb6/
   
   ## How was this patch tested?
   
   1. with CI
   
   2. With starting compose cluster and double check if `localhost:9876` is available
   
   3. With checking the included jar files
   
   ```
   hadoop-ozone/dist/target/ozone-1.1.0-SNAPSHOT/share/ozone/lib
   ls -1 *jetty*
   jetty-http-9.4.35.v20201120.jar
   jetty-io-9.4.35.v20201120.jar
   jetty-security-9.4.35.v20201120.jar
   jetty-server-9.4.35.v20201120.jar
   jetty-servlet-9.4.35.v20201120.jar
   jetty-util-9.4.35.v20201120.jar
   jetty-util-ajax-9.4.35.v20201120.jar
   jetty-webapp-9.4.35.v20201120.jar
   jetty-xml-9.4.35.v20201120.jar
   ```


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] adoroszlai merged pull request #1964: HDDS-4870. Bump jetty version

Posted by GitBox <gi...@apache.org>.

adoroszlai merged pull request #1964:
URL: https://github.com/apache/ozone/pull/1964


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] adoroszlai commented on pull request #1964: HDDS-4870. Bump jetty version

Posted by GitBox <gi...@apache.org>.

adoroszlai commented on pull request #1964:
URL: https://github.com/apache/ozone/pull/1964#issuecomment-786648883


   Thanks @elek for the patch.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org