10.0.2

Changelog

⚠️ Important Security related Changes

• CVE-2021-28165 - #6072 - jetty server high CPU when client send data length > 17408
• CVE-2021-28164 - #6101 - Normalize ambiguous URIs
• CVE-2021-28163 - #6102 - Exclude webapps directory from deployment scan

Other Changes

• #4275 - Path Normalization/Traversal - Context Matching
• #5828 - Allow to create a WebSocketContainer passing HttpClient
• #5832 - Ctrl-C after jetty:run produces NoClassDefFoundError
• #5977 - Cache-Control header set by a filter is override by the value from DefaultServlet configuration
• #5994 - QueuedThreadPool "free" threads
• #5996 - ERROR : No module found to provide logback-impl for logback-access{enabled}
• #5999 - HttpURI ArrayIndexOutOfBounds
• #6001 - Ambiguous URI legacy compliance mode
• #6008 - Allow absolute paths to be provided in start.ini for request log directory.
• #6011 - OSGi Cannot start Jetty with osgi.boot - Configurations add wrong method taken
• #6020 - Review Jetty Maven Plugin scanning defaults
• #6021 - Standardize Path resolution in XmlConfiguration
• #6024 - Error starting jetty-10: Provider org.eclipse.jetty.websocket.javax.client.JavaxWebSocketShutdownContainer not found
• #6026 - the jvm DEBUG flag is not working org.eclipse.jetty.LEVEL=DEBUG
• #6034 - SslContextFactory may select a wildcard certificate during SNI selection when a more specific SSL certificate is present
• #6037 - Review logging modules for j.u.l.
• #6050 - Websocket: NotUtf8Exception after upgrade 9.4.35 -> 9.4.36 or newer
• #6063 - Allow override of hazelcast version when using module
• #6076 - Embedded Jetty throws null pointer exception
• #6082 - SslConnection compacting
• #6085 - Jetty keeps Sessions in use after "Duplicate valid session cookies" Message

9.4.39.v20210325

Changelog

⚠️ Important Security related Changes

• CVE-2021-28165 - #6072 - jetty server high CPU when client send data length > 17408
• CVE-2021-28164 - #6101 - Normalize ambiguous URIs
• CVE-2021-28163 - #6102 - Exclude webapps directory from deployment scan

Other Changes

• #6034 - SslContextFactory may select a wildcard certificate during SNI selection when a more specific SSL certificate is present
• #6050 - Websocket: NotUtf8Exception after upgrade 9.4.35 -> 9.4.36 or newer
• #6052 - Cleanup TypeUtil and ModuleLocation to allow jetty-client/hybrid to work on Android
• #6063 - Allow override of hazelcast version when using module
• #6085 - Jetty keeps Sessions in use after "Duplicate valid session cookies" Message

9.4.38.v20210224

Changelog

• #6001 - Ambiguous URI legacy compliance mode
• #5999 - HttpURI ArrayIndexOutOfBounds
• #5994 - QueuedThreadPool "free" threads
• #5977 - Cache-Control header set by a filter is override by the value from DefaultServlet configuration

9.4.37.v20210219

Changelog

• This release addresses and resolves CVE-2020-27223
• #5979 - Configurable gzip Etag extension
• #5977 - Cache-Control header set by a filter is override by the value from DefaultServlet configuration
• #5976 - Adding requested Rewrite Rule to force request header values
• #5973 - Proxy client TLS authentication example
• #5963 - Improve QuotedQualityCSV
• #5950 - Deadlock due to logging inside classloaders
• #5937 - Unnecessary blocking in ResourceService
• #5909 - Cannot disable HTTP OPTIONS Method
• #5894 - Jetty 9.4.x 5859 classloader leak queuedthreadpool
• #5851 - org.eclipse.jetty.websocket.servlet.WebSocketServlet cleanup
• #5787 - Make ManagedSelector report better JMX data
• #5492 - Add ability to manage start modules by java feature
• #4275 - Path Normalization/Traversal - Context Matching

11.0.1

Changelog

• This release addresses and resolves CVE-2020-27223
• #5993 - Change more modules to glassfish-jstl
• #5941 - Use jakarta.servlet.jsp.jstl version 2 implementation from Eclipse Glassfish
• #5901 - Starting Jetty with JPMS produces warnings about Servlet resources not found
• #5761 - Remove unneeded dependencies from apache-jsp module
• #5759 - Update jakarta transaction, mail and injection apis
• #5752 - Fix Servlet 5 Schema redirects

10.0.1

Special Thanks to the following Eclipse Jetty community members

• @mmadoo (Nicolas)

Changelog

• This release addresses and resolves CVE-2020-27223
• #5966 - jetty-home should not have a webapps/ directory
• #5962 - Fix SampleStatistic.toString: mean dispay the max (@mmadoo)
• #5959 - Unify the handling of ServletContainerInitializers
• #5939 - Use unwrapped exception as exception type for error handling
• #5937 - Unnecessary blocking in ResourceService
• #5933 - ClientCertAuthenticator is not taking account SslContext configuration
• #5926 - Implementation of HttpServletRequest.upgrade
• #5902 - Grab Jetty startup output in documentation
• #5901 - Starting Jetty with JPMS produces warnings about Servlet resources not found
• #5882 - Simplify ALPN modules
• #5880 - Move test-simple-webapp to demos
• #5872 - Improve JMX support for Jetty logging
• #5868 - Cleaning up request attributes after websocket upgrade in Jetty 10
• #5866 - Support Programmatic WebSocket upgrade in Jetty 10
• #5861 - Fix bad refactor of WebSocket getMappings method.
• #5850 - NPE at WebSocketSession.java, public Principal getUserPrincipal() method
• #5803 - Temporary fix for challenged TCK test
• #5784 - Apache 2.0 license incorrectly stated as "secondary license" to EPL 2.0
• #5779 - Include can set pathInContext
• #5757 - Review Inferred vs Assumed charsets
• #5736 - Tries improvements
• #5706 - The WebSocket ServerUpgradeResponse can produce NPE in jetty 10.
• #5229 - WebSocket documentation in Jetty 10
• #4515 - Validation extension should not downcast CoreSession
• #4275 - Path Normalization/Traversal - Context Matching
• #1673 - jetty-demo/etc/keystore should not be distributed

9.4.36.v20210114

Special Thanks to the following Eclipse Jetty community members

• @joewitt (Joe Witt)
• @rk1165 (Ravi Kumar)
• @leonchen83 (Baoyi Chen)

Changelog

• #5870 - jetty-maven-plugin fails to run ServletContainerInitializer on Windows due to URI case comparison bug
• #5855 - HttpClient may not send queued requests
• #5845 - Use UTF-8 encoding for client basic auth if requested
• #5830 - Jetty-util contains wrong Import-Package
• #5825 - Revisit Statistics classes (@rk1165)
• #5824 - Build up of ConstraintMappings when stopping and starting WebAppContext
• #5821 - JMX-ify Scheduler implementations (@rk1165)
• #5820 - backport fix for ArithmeticException in Pool
• #5804 - Jetty 9.4.x spotbug issue map iteration using entrySet(), diamond list creation
• #5801 - Implement max duration of HTTP ConnectionPools
• #5794 - ServerConnector leaks closed sockets which can lead to file descriptor exhaustion (@joewitt)
• #5785 - Reduce log level for WebSocket connections closed by clients
• #5783 - Fix ConnectionStatistics.*Rate() methods
• #5778 - fix ByteBufferPool race condition
• #5755 - Cannot configure maxDynamicTableSize on HTTP2Client
• #5743 - max usage count fixes
• #5726 - Implement and test a WebSocket Proxy with the 9.4 Jetty API
• #5725 - Review Preventers
• #5722 - Broken Documentation links
• #5718 - Use File.list and File.walk within a try with resource
• #5713 - Get rid of test dependencies on derby
• #5709 - Bump maven-pmd-plugin from 3.13.0 to 3.14.0
• #5689 - Jetty ssl keystorePath doesn't work with absolute path
• #5672 - Bump maven-jxr-plugin from 2.5 to 3.0.0
• #5666 - Bump geronimo-atinject_1.0_spec from 1.1 to 1.2
• #5633 - Allow to configure HttpClient request authority
• #5499 - Improve temporary buffer usage for WebSocket PerMessageDeflate. (@leonchen83)

11.0.0

Eclipse Jetty 11.x Highlights

• Jetty 11.x has a minimum Java requirement of Java 11.
• Jetty 11.x modules are proper JPMS modules with module-info.class.
• Jetty 11.x supports the following technology specs (from the Jakarta EE 9 effort):
  • jakarta.servlet - 5.0.0
  • jakarta.servlet.jsp - 3.0.0
  • jakarta.servlet.jsp.jstl - 2.0.0
  • jakarta.el - 4.0.0
  • jakarta.websocket - 2.0.0
• Jetty 11.x is the first major version of Jetty to support the jakarta.servlet namespace.
  Use Jetty 10.x for the older (now outdated) javax.servlet namespace.

Important Changes

• Classic jetty logging facade has been replaced with slf4j-api usage
• There is no longer a jetty-distribution, use jetty-home with a proper ${jetty.base} instead.
  See: Operations Guide: Architecture
  • New demo jetty-start module exists to replace the old demo-base functionality.
• Remove jetty-all uber artifact
• Managing Configuration within a WebAppContext has a new API.
  (They are now self ordering and do not require knowledge of Jetty internals to use successfully)
• Complete WebSocket refactoring, those using the Jetty APIs or embedded-jetty will need to update their code.
  • Support for WebSocket over HTTP/2 (client and server)
• Jetty HttpClient has been improved.
  • Supports dynamic protocol upgrade (http/2 and http/1.1).
• Session management has been refactored as well.

Changelog

• #5715 - Fix problems caused by upgrade to jstl version.
• #5701 - Bump jakarta.servlet.jsp-api from 3.0.0-M1 to 3.0.0
• #5700 - Bump jakarta.servlet.jsp.jstl-api from 2.0.0-RC1 to 2.0.0
• #5626 - Bump maven-resources-plugin from 3.1.0 to 3.2.0
• #5608 - Bump maven-project-info-reports-plugin from 3.0.0 to 3.1.1
• #5585 - Bump jakarta.annotation-api from 2.0.0-RC1 to 2.0.0
• #5550 - Bump maven-source-plugin from 3.0.1 to 3.2.1
• #5549 - Bump hazelcast.version from 4.0.1 to 4.0.3
• #5548 - Bump geronimo-interceptor_1.2_spec from 1.1 to 1.2
• #5506 - Bump weld-servlet-core from 4.0.0.Beta1 to 4.0.0.Beta5
• #5473 - Bump appassembler-maven-plugin from 2.0.0 to 2.1.0
• #5472 - Bump jna from 5.5.0 to 5.6.0
• #5470 - Bump mail-api.version from 2.0.0-RC4 to 2.0.0-RC6
• #5423 - Bump jakarta.servlet-api from 5.0.0-M1 to 5.0.0
• #5380 - Bump maven-war-plugin from 3.2.3 to 3.3.1
• #4568 - Use jakarta.* namespace for new Jakarta EE 9 "Big Bang" artifacts

10.0.0

Eclipse Jetty 10.x Highlights

• Jetty 10.x has a minimum Java requirement of Java 11.
• Jetty 10.x modules are proper JPMS modules with module-info.class.
• Jetty 10.x supports the following technology specs (from the Jakarta EE 8 effort):
  • javax.servlet - 4.0.1
  • javax.servlet.jsp - 2.2
  • javax.servlet.jsp.jstl - 1.2
  • javax.el - 3.0.0
  • javax.websocket - 1.1
• Jetty 10.x will be the last major version of Jetty to support the javax.servlet namespace.
  Use Jetty 11.x for the updated jakarta.servlet namespace.

Important Changes

• Classic jetty logging facade has been replaced with slf4j-api usage
• There is no longer a jetty-distribution, use jetty-home with a proper ${jetty.base} instead.
  See: Operations Guide: Architecture
  • New demo jetty-start module exists to replace the old demo-base functionality.
• Remove jetty-all uber artifact
• Managing Configuration within a WebAppContext has a new API.
  (They are now self ordering and do not require knowledge of Jetty internals to use successfully)
• Complete WebSocket refactoring, those using the Jetty APIs or embedded-jetty will need to update their code.
  • Support for WebSocket over HTTP/2 (client and server)
• Jetty HttpClient has been improved.
  • Supports dynamic protocol upgrade (http/2 and http/1.1).
• Session management has been refactored as well.

Special Thanks to the following Eclipse Jetty community members

• @dejpec (dejpec)
• @dennyac (Denny Abraham Cheriyan)
• @grgrzybek (Grzegorz Grzybek)
• @schnittstabil (Michael Mayer)
• @attiand (Mattias Andersson)

Changelog

• #5739 - jetty-distribution is not created when building 11.0.0.beta3
• #5732 - Fix ArithmeticException "/ by zero" in Pool.acquire()
• #5729 - Do not create and use jars with "tests" classifier.
• #5710 - remove unnecessary transition to READY in ContentProducer.isReady
• #5705 - Move websocket-util classes into websocket-core
• #5698 - Bump commons-codec from 1.13 to 1.15
• #5695 - Bump api-ldap-schema-data from 2.0.0 to 2.0.1
• #5694 - Bump commons-lang3 from 3.9 to 3.11
• #5691 - HttpInput may skip setting fill interest
• #5679 - Distro argument --list-all-modules does not work
• #5674 - Drop /jetty-spring/ module
• #5648 - Use Filter name to identify the WebSocketUpgradeFilter.
• #5622 - Bump javax.servlet.jsp.jstl from 1.2.2 to 1.2.5
• #5615 - Bump maven-project-info-reports-plugin from 3.0.0 to 3.1.1
• #5597 - Cleanups to WebSocket CloseStatus
• #5594 - Bump tycho-version from 2.0.0 to 2.1.0
• #5592 - Bump hazelcast.version from 4.0.1 to 4.1
• #5566 - Tries cleanup
• #5547 - Bump org.eclipse.osgi from 3.6.0.v20100517 to 3.7.1
• #5543 - Bump spring-beans from 5.2.9.RELEASE to 5.3.0
• #5526 - Access to cookie config with accessor method (@dejpec)
• #5521 - ResourceCollection NPE in list()
• #5503 - Bump spring-beans from 5.1.1.RELEASE to 5.2.9.RELEASE
• #5493 - StatisticsHandler broken for async applications
• #5469 - Bump jaxws-rt from 2.3.0.2 to 2.3.3
• #5468 - Bump openpojo from 0.8.1 to 0.8.13
• #5467 - Bump maven-jxr-plugin from 2.5 to 3.0.0
• #5466 - Bump jakarta.annotation-api from 1.3.4 to 1.3.5
• #5465 - Bump github-api from 1.114 to 1.116
• #5459 - Fix archive assemblies (tar.gz and zip) to have fixed file/dir modes.
• #5448 - Request.isSecure() returns false for https schemes in Jetty 10
• #5432 - Bump ant.version from 1.10.8 to 1.10.9
• #5422 - Bump asciidoctorj-diagram from 2.0.2 to 2.0.5
• #5413 - simplify the usage of WebSocketUpgradeFilter in jetty 10
• #5406 - throw ISE if the WebSocketSCI configure() is called on a started ServletContextHandler
• #5394 - Quickstart does not inject/decorate objects
• #5391 - Bump javax.servlet-api from 3.1.0 to 4.0.1
• #5390 - Bump maven-artifact-transfer from 0.11.0 to 0.12.0
• #5379 - Better handling for wrong SNI
• #5378 - Filter/Servlet/Listener Holders are not started if added during STARTING state.
• #5367 - Reorg of /demos/ with focus on demo-spec downstream dependencies.
• #5360 - demo-spec module incorrectly depends on demo-jndi
• #5350 - Bump jsp-api from 2.1 to 2.2
• #5349 - Bump asm.version from 8.0.1 to 9.0
• #5347 - Bump maven-jar-plugin from 3.1.2 to 3.2.0
• #5333 - Bump derby from 10.14.2.0 to 10.15.2.0
• #5327 - NPE from jetty test webapp
• #5320 - Using WebSocketClient with jetty-websocket-httpclient.xml in a Jetty web application causes ClassCastException
• #5304 - HTTP/2 with HttpServletRequest.getHeader("Host") returns null on Jetty 10, but a valid value on Jetty 9
• #5302 - Bump mariadb-java-client from 2.6.0 to 2.6.2
• #5287 - CompressionPools should use the new jetty-util Pool class
• #5280 - Remove unused methods on SessionHandler
• #5272 - The UserStore and PropertyUserStore classes are hard to re-use for caching eg JDBC data
• #5262 - Bump exec-maven-plugin from 1.6.0 to 3.0.0
• #5260 - Bump flatten-maven-plugin from 1.0.1 to 1.2.5
• #5256 - Cleanup Jetty 10 Start
• #5254 - Short list of Jetty modules
• #5239 - Bump tycho-version from 1.4.0 to 2.0.0
• #5238 - Bump jmh.version from 1.25.1 to 1.25.2
• #5237 - Bump org.eclipse.osgi from 3.15.100 to 3.15.300
• #5236 - Bump org.eclipse.osgi.services from 3.7.100 to 3.8.0
• #5235 - Jetty WebSocket API minor cleanups before Jetty-10 full release
• #5211 - Bump jmh.version from 1.21 to 1.25.1
• #5192 - Bump apacheds.version from 2.0.0-M24 to 2.0.0.AM26
• #5191 - Bump jaxb-api from 2.3.0 to 2.3.1
• #5190 - Bump jnr-unixsocket from 0.24 to 0.34
• #5188 - Bump derbytools from 10.14.2.0 to 10.15.2.0
• #5181 - Update to spifly 1.3.0
• #5178 - Update to asm 8.0.1
• #5171 - GzipHandler Vary head should be configurable
• #5170 - NullPointerException in HttpReceiverOverHTTP during WebSocket client Upgrade
• #5157 - Bump ant from 1.8.4 to 1.10.8
• #5154 - Fix WebSocketServerExamplesTest to work after maven surefire update
• #5096 - using JettyWebSocketServlet without having a WebSocketUpgradeFilter
• #5093 - Review UrlEncoded locking
• #5086 - Review Scanner locking
• #5083 - Convert synchronized usages to AutoLock
• #5075 - restore old ServletPathMapping even for include dispatch types
• #5044 - Jetty WebSocket UpgradeRequest & UpgradeResponse types in Jetty 10
• #5043 - WebSocketListener anonymous classes should be invocable
• #5025 - dispatcher.include() with welcome files lead to stack overflow error (@grgrzybek)
• #5018 - WebSocketClient connect / upgrade timeout not configurable
• #4996 - Warning log printed when debug is enabled in AbstractLifecycle.java
• #4985 - Fix NPE related to use of Attributes.Wrapper getAttributeNameSet()
• #4978 - only include jetty-slf4j-impl jar once in jetty-home
• #4952 - fix websocket JPMS warnings and build issues
• #4919 - websocket container stop ordering
• #4907 - org.eclipse.jetty.websocket.tests.SuspendResumeTest#testSuspendAfterClose
• #4903 - Give better errors for non public Websocket Endpoints
• #4858 - add setReuseAddress() to ClientConnector
• #4830 - Add JMX to new Jetty 10 jetty-slf4j-impl
• #4825 - PushBuilder tck test failures
• #4815 - Allow a ConnectionFactory (eg SslConnectionFactory) to automatically add a Customizer
• #4808 - Review HttpClient Request header APIs
• #4800 - WebSocket DistributionTests failure on JDK14
• #4794 - HttpInput.setReadListener should throw IllegalStateException if async not started
• #4780 - upgrade spifly to 1.2.4 and replace jdk13 build with jdk14
• #4777 - Immutable HttpFields and MetaData
• #4775 - cleanup and add tests for the unused ws message handlers
• #4765 - Review GzipHandler inside ServletContextHandler
• #4762 - Request.authenticate(Response) should return true if already authenticated
• #4760 - Response.setLocale should override previous Response.setLocale
• #4759 - Improve keystore exception message when keystore is not valid (@schnittstabil)
• #4757 - Use HandlerList instead of HandlerCollection
• #4752 - HttpSessionListener.sessionCreated should be called in order listener was added; sessionDestroyed in reverse order
• #4747 - Investigate websocket tck failures for jetty-10
• #4741 - getHttpServletMapping for async dispatch
• #4722 - Jetty-10 websocket-servlet exposes websocket-core classes
• #4719 - ContentType with no char encoding should use previous char encoding
• #4713 - AsyncContext.dispatch does not remember the query string of the request
• #4707 - Value for ServletContext.setSessionTimeout is wrong in StandardDescriptorProcessor
• #4700 - ServletContext.createXXX() methods should throw UnsupportedOperationException
• #4697 - Default and EffectiveSessionTrackingModes should throw UnsupportedOperationException
• #4691 - Use MethodHandles.lookup() consistently in WebSocket code
• #4683 - jetty-slf4j-impl has incorrect manifest
• #4672 - Refactor CrossOriginFilter with small perf improvements (@dennyac)
• #4669 - websocket JPMS fixes to not export websocket-core
• #4666 - upgrade openwebbeans-web to 2.0.15
• #4656 - XmlConfiguration cleanup
• #4647 - Hazelcast remote.xml configuration file do not configure hazelcast remote addresses (@attiand)
• #4620 - Using console-capture with StdErrLog results in empty log file
• #4610 - Docs for OpenID
• #4603 - Investigate WebSocketOverHTTP2Test.testServerConnectionClose()
• #4598 - Add URI mapping to InetAccessHandler
• #4581 - Remove javadoc for overridden methods
• #4577 - request getPathInfo returns null
• #4572 - Replace Jetty Logging
• #4567 - Jetty logging supporting Throwable as last argument
• #4563 - remove deprecated jetty-runner
• #4556 - HttpInput refactoring
• #4552 - Fix MethodHandles lookup to support JPMS runtime mode
• #4548 - duplicated classes between jetty and javax websocket implementations
• #4538 - review WebSocket MessageWriter and MessageReader
• #4527 - Make the WebS...

9.4.35.v20201120

Important Change

• #5605 : java.io.IOException: unconsumed input during http request parsing

Bugs

• #4711 : Reset trailers on recycled response
• #5486 : PropertyFileLoginModule retains PropertyUserStores
• #5562 : ArrayTernaryTrie consumes too much memory

Enhancements

• #5539 : StatisticsServlet output now available in json, xml, text, and html
• #5575 : Add SEARCH as a known HttpMethod
• #5633 : Allow to configure HttpClient request authority (even on HTTP/2)