You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zookeeper.apache.org by ar...@apache.org on 2021/03/08 15:37:21 UTC
[zookeeper] branch branch-3.6 updated: ZOOKEEPER-4233:
dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223
This is an automated email from the ASF dual-hosted git repository.
arshad pushed a commit to branch branch-3.6
in repository https://gitbox.apache.org/repos/asf/zookeeper.git
The following commit(s) were added to refs/heads/branch-3.6 by this push:
new c78d926 ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223
c78d926 is described below
commit c78d926cc94de0710a8a7f07dd1f7f1138a3e8cc
Author: Damien Diederen <dd...@crosstwine.com>
AuthorDate: Mon Mar 8 21:09:38 2021 +0530
ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v20201120 - CVE-2020-27223
The OWASP checker reports that the version of Jetty currently
referenced by this branch is vulnerable to a CVE:
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:check (default-cli) on project zookeeper:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0':
[ERROR]
[ERROR] jetty-server-9.4.35.v20201120.jar: CVE-2020-27223
[ERROR] jetty-http-9.4.35.v20201120.jar: CVE-2020-27223
https://nvd.nist.gov/vuln/detail/CVE-2020-27223 describes it as:
> In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive),
> 10.0.0, and 11.0.0 when Jetty handles a request containing multiple
> Accept headers with a large number of "quality" (i.e. q) parameters,
> the server may enter a denial of service (DoS) state due to high CPU
> usage processing those quality values, resulting in minutes of CPU
> time exhausted processing those quality values.
This changeset bumps Jetty to 9.4.38.v20210224, which is the latest
as of the commit date.
Author: Damien Diederen <dd...@crosstwine.com>
Reviewers: Enrico Olivelli <eo...@apache.org>, Mohammad Arshad <ar...@apache.org>
Closes #1624 from ztzg/ZOOKEEPER-4023-jetty-CVE-2020-27223-x-3.6
---
pom.xml | 2 +-
...35.v20201120.LICENSE.txt => jetty-http-9.4.38.v20210224.LICENSE.txt} | 0
...4.35.v20201120.LICENSE.txt => jetty-io-9.4.38.v20210224.LICENSE.txt} | 0
...20201120.LICENSE.txt => jetty-security-9.4.38.v20210224.LICENSE.txt} | 0
....v20201120.LICENSE.txt => jetty-server-9.4.38.v20210224.LICENSE.txt} | 0
...v20201120.LICENSE.txt => jetty-servlet-9.4.38.v20210224.LICENSE.txt} | 0
...35.v20201120.LICENSE.txt => jetty-util-9.4.38.v20210224.LICENSE.txt} | 0
...0201120.LICENSE.txt => jetty-util-ajax-9.4.38.v20210224.LICENSE.txt} | 0
8 files changed, 1 insertion(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index ab8b150..b2a983c 100755
--- a/pom.xml
+++ b/pom.xml
@@ -356,7 +356,7 @@
<hamcrest.version>1.3</hamcrest.version>
<commons-cli.version>1.2</commons-cli.version>
<netty.version>4.1.59.Final</netty.version>
- <jetty.version>9.4.35.v20201120</jetty.version>
+ <jetty.version>9.4.38.v20210224</jetty.version>
<jackson.version>2.10.5.1</jackson.version>
<json.version>1.1.1</json.version>
<jline.version>2.14.6</jline.version>
diff --git a/zookeeper-server/src/main/resources/lib/jetty-util-ajax-9.4.35.v20201120.LICENSE.txt b/zookeeper-server/src/main/resources/lib/jetty-http-9.4.38.v20210224.LICENSE.txt
similarity index 100%
rename from zookeeper-server/src/main/resources/lib/jetty-util-ajax-9.4.35.v20201120.LICENSE.txt
rename to zookeeper-server/src/main/resources/lib/jetty-http-9.4.38.v20210224.LICENSE.txt
diff --git a/zookeeper-server/src/main/resources/lib/jetty-util-9.4.35.v20201120.LICENSE.txt b/zookeeper-server/src/main/resources/lib/jetty-io-9.4.38.v20210224.LICENSE.txt
similarity index 100%
rename from zookeeper-server/src/main/resources/lib/jetty-util-9.4.35.v20201120.LICENSE.txt
rename to zookeeper-server/src/main/resources/lib/jetty-io-9.4.38.v20210224.LICENSE.txt
diff --git a/zookeeper-server/src/main/resources/lib/jetty-servlet-9.4.35.v20201120.LICENSE.txt b/zookeeper-server/src/main/resources/lib/jetty-security-9.4.38.v20210224.LICENSE.txt
similarity index 100%
rename from zookeeper-server/src/main/resources/lib/jetty-servlet-9.4.35.v20201120.LICENSE.txt
rename to zookeeper-server/src/main/resources/lib/jetty-security-9.4.38.v20210224.LICENSE.txt
diff --git a/zookeeper-server/src/main/resources/lib/jetty-server-9.4.35.v20201120.LICENSE.txt b/zookeeper-server/src/main/resources/lib/jetty-server-9.4.38.v20210224.LICENSE.txt
similarity index 100%
rename from zookeeper-server/src/main/resources/lib/jetty-server-9.4.35.v20201120.LICENSE.txt
rename to zookeeper-server/src/main/resources/lib/jetty-server-9.4.38.v20210224.LICENSE.txt
diff --git a/zookeeper-server/src/main/resources/lib/jetty-security-9.4.35.v20201120.LICENSE.txt b/zookeeper-server/src/main/resources/lib/jetty-servlet-9.4.38.v20210224.LICENSE.txt
similarity index 100%
rename from zookeeper-server/src/main/resources/lib/jetty-security-9.4.35.v20201120.LICENSE.txt
rename to zookeeper-server/src/main/resources/lib/jetty-servlet-9.4.38.v20210224.LICENSE.txt
diff --git a/zookeeper-server/src/main/resources/lib/jetty-io-9.4.35.v20201120.LICENSE.txt b/zookeeper-server/src/main/resources/lib/jetty-util-9.4.38.v20210224.LICENSE.txt
similarity index 100%
rename from zookeeper-server/src/main/resources/lib/jetty-io-9.4.35.v20201120.LICENSE.txt
rename to zookeeper-server/src/main/resources/lib/jetty-util-9.4.38.v20210224.LICENSE.txt
diff --git a/zookeeper-server/src/main/resources/lib/jetty-http-9.4.35.v20201120.LICENSE.txt b/zookeeper-server/src/main/resources/lib/jetty-util-ajax-9.4.38.v20210224.LICENSE.txt
similarity index 100%
rename from zookeeper-server/src/main/resources/lib/jetty-http-9.4.35.v20201120.LICENSE.txt
rename to zookeeper-server/src/main/resources/lib/jetty-util-ajax-9.4.38.v20210224.LICENSE.txt