Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SPARK-39725][BUILD] Upgrade jetty-http from 9.4.46.v20220331 to 9.4.48.v20220622 #37142

Closed
wants to merge 2 commits into from
Closed

[SPARK-39725][BUILD] Upgrade jetty-http from 9.4.46.v20220331 to 9.4.48.v20220622 #37142

wants to merge 2 commits into from

Conversation

bjornjorgensen
Copy link
Contributor

@bjornjorgensen bjornjorgensen commented Jul 8, 2022
edited
Loading

What changes were proposed in this pull request?

Upgrade jetty-http from 9.4.46.v20220331 to 9.4.48.v20220622

Why are the changes needed?

Release note

CVE-2022-2047

Info from Github dependabot

Invalid URI parsing may produce invalid HttpURI.authority

Description

URI use within Jetty's HttpURI class can parse invalid URIs such as http://localhost;/path as having an authority with a host of localhost;.

A URIs of the type http://localhost;/path should be interpreted to be either invalid or as localhost; to be the userinfo and no host.
However, HttpURI.host returns localhost; which is definitely wrong.

Impact

This can lead to errors with Jetty's HttpClient, and Jetty's ProxyServlet / AsyncProxyServlet / AsyncMiddleManServlet wrongly interpreting an authority with no host as one with a host.

Patches

Patched in PR jetty/jetty.project#8146 for Jetty version 9.4.47.
Patched in PR jetty/jetty.project#8015 for Jetty versions 10.0.10, and 11.0.10

Workarounds

None.

For more information

If you have any questions or comments about this advisory:

Email us at security@webtide.com."

Does this PR introduce any user-facing change?

No.

How was this patch tested?

Pass GA

@github-actions github-actions bot added the BUILD label Jul 8, 2022
@bjornjorgensen bjornjorgensen marked this pull request as draft July 8, 2022 17:04
@bjornjorgensen bjornjorgensen changed the title [WIP][SPARK-39725][BUILD] Upgrade jetty-http from 9.4.46.v20220331 to 9.4.48.v20220622 [WIP][SPARK-39725][BUILD] Upgrade jetty-http from 9.4.46.v20220331 to 9.4.48.v20220622 Jul 8, 2022
@bjornjorgensen bjornjorgensen marked this pull request as ready for review July 8, 2022 19:00
@bjornjorgensen bjornjorgensen changed the title [WIP][SPARK-39725][BUILD] Upgrade jetty-http from 9.4.46.v20220331 to 9.4.48.v20220622 [SPARK-39725][BUILD] Upgrade jetty-http from 9.4.46.v20220331 to 9.4.48.v20220622 Jul 8, 2022
@bjornjorgensen
Copy link
Contributor Author

Note:

Jetty 9.4.x is now at End of Community Support.

We can't upgrade to Jetty 10.x because we are using java 8.
Jetty 10.0.x required java 11+

@HyukjinKwon
Copy link
Member

Merged to master.

@bjornjorgensen bjornjorgensen deleted the jetty-http-9.4.48.v20220622 branch August 5, 2022 16:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@HyukjinKwon HyukjinKwon HyukjinKwon approved these changes

Assignees
No one assigned
Labels
BUILD
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bjornjorgensen @HyukjinKwon