[Jetty-announce] Jetty release 6.1.22

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[Jetty-announce] Jetty release 6.1.22

Greg Wilkins

Jetty release 6.1.22 is now available via http://jetty.mortbay.org

This release contains a work around for the vulnerability in the SSL
protocol that is documented in CVE-2009-3555.   The work around
prevents renegotiation of SSL connections and this prevents man
in the middle text injection.   This work around may affect some
client certificate usage and for that, an updated JVM will be

Another security related fix is that the log is now filtered
for control characters to protect against vulnerable xterms.

It is highly recommended that all jetty 6 servers are updated
to use 6.1.22

jetty-6.1.22 16 November 2009
 + Fixed XSS issue in demo CometDump servlet
 + JETTY-937 More JVM bug work arounds. Insert pause if all else fails
 + JETTY-983 Send content-length with multipart ranges
 + JETTY-1120 Requests with no body are treated as complete even if there's a LF left to read
 + JETTY-1121 Merge Multipart query parameters
 + JETTY-1122 Handle multi-byte utf that causes buffer overflow
 + JETTY-1129 Filter control characters out of StdErrLog
 + JETTY-1135 Handle connection closed before accepted during JVM bug work around
 + JETTY-1144 Fixed multi-byte character overflow
 + JETTY-1148 Reset partially read request reader.
 + COMETD-28 Improved concurrency usage in Bayeux and channel handling
 + 289221 HttpExchange does not timeout when using blocking connector
 + 290761 HttpExchange.waitForDone()
 + 291340 state==HEADER (Race condition in onException() notifications)
 + 292546 Proactively enforce HttpClient idle timeout
 + CVE-2009-3555 Prevent SSL renegotiate for SSL vulnerability

Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
Jetty-announce mailing list
[hidden email]