ZOOKEEPER-4233: dependency-check:check failing - Jetty 9.4.35.v202011…

…20 - CVE-2020-27223 The OWASP checker reports that the version of Jetty currently referenced by this branch is vulnerable to a CVE: [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:check (default-cli) on project zookeeper: [ERROR] [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0': [ERROR] [ERROR] jetty-server-9.4.35.v20201120.jar: CVE-2020-27223 [ERROR] jetty-http-9.4.35.v20201120.jar: CVE-2020-27223 https://nvd.nist.gov/vuln/detail/CVE-2020-27223 describes it as: > In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), > 10.0.0, and 11.0.0 when Jetty handles a request containing multiple > Accept headers with a large number of "quality" (i.e. q) parameters, > the server may enter a denial of service (DoS) state due to high CPU > usage processing those quality values, resulting in minutes of CPU > time exhausted processing those quality values. This changeset bumps Jetty to 9.4.38.v20210224, which is the latest as of the commit date. Author: Damien Diederen <[email protected]> Reviewers: Enrico Olivelli <[email protected]>, Mohammad Arshad <[email protected]> Closes #1625 from ztzg/ZOOKEEPER-4023-jetty-CVE-2020-27223-x-3.5
apache · Mar 8, 2021 · 59f429e · 59f429e
1 parent 15940b1
commit 59f429e
Show file tree

Hide file tree

Showing 9 changed files with 2 additions and 2 deletions.
diff --git a/build.xml b/build.xml
@@ -54,7 +54,7 @@ xmlns:cs="antlib:com.puppycrawl.tools.checkstyle.ant">
 
     <property name="javacc.version" value="5.0"/>
 
-    <property name="jetty.version" value="9.4.35.v20201120"/>
+    <property name="jetty.version" value="9.4.38.v20210224"/>
     <property name="jackson.version" value="2.10.3"/>
     <property name="dependency-check-ant.version" value="5.2.4"/>
 

diff --git a/pom.xml b/pom.xml
@@ -297,7 +297,7 @@
     <mockito.version>2.27.0</mockito.version>
     <hamcrest.version>1.3</hamcrest.version>
     <commons-cli.version>1.2</commons-cli.version>
-    <jetty.version>9.4.35.v20201120</jetty.version>
+    <jetty.version>9.4.38.v20210224</jetty.version>
     <netty.version>4.1.59.Final</netty.version>
     <jackson.version>2.10.5.1</jackson.version>
     <json.version>1.1.1</json.version>

diff --git a/...b/jetty-http-9.4.35.v20201120.LICENSE.txt → ...b/jetty-http-9.4.38.v20210224.LICENSE.txt b/...b/jetty-http-9.4.35.v20201120.LICENSE.txt → ...b/jetty-http-9.4.38.v20210224.LICENSE.txt
diff --git a/...lib/jetty-io-9.4.35.v20201120.LICENSE.txt → ...lib/jetty-io-9.4.38.v20210224.LICENSE.txt b/...lib/jetty-io-9.4.35.v20201120.LICENSE.txt → ...lib/jetty-io-9.4.38.v20210224.LICENSE.txt
diff --git a/...tty-security-9.4.35.v20201120.LICENSE.txt → ...tty-security-9.4.38.v20210224.LICENSE.txt b/...tty-security-9.4.35.v20201120.LICENSE.txt → ...tty-security-9.4.38.v20210224.LICENSE.txt
diff --git a/...jetty-server-9.4.35.v20201120.LICENSE.txt → ...jetty-server-9.4.38.v20210224.LICENSE.txt b/...jetty-server-9.4.35.v20201120.LICENSE.txt → ...jetty-server-9.4.38.v20210224.LICENSE.txt
diff --git a/...etty-servlet-9.4.35.v20201120.LICENSE.txt → ...etty-servlet-9.4.38.v20210224.LICENSE.txt b/...etty-servlet-9.4.35.v20201120.LICENSE.txt → ...etty-servlet-9.4.38.v20210224.LICENSE.txt
diff --git a/...b/jetty-util-9.4.35.v20201120.LICENSE.txt → ...b/jetty-util-9.4.38.v20210224.LICENSE.txt b/...b/jetty-util-9.4.35.v20201120.LICENSE.txt → ...b/jetty-util-9.4.38.v20210224.LICENSE.txt
diff --git a/...ty-util-ajax-9.4.35.v20201120.LICENSE.txt → ...ty-util-ajax-9.4.38.v20210224.LICENSE.txt b/...ty-util-ajax-9.4.35.v20201120.LICENSE.txt → ...ty-util-ajax-9.4.38.v20210224.LICENSE.txt