Jetty release 6.1.19

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Jetty release 6.1.19

Greg Wilkins-5

Jetty release 6.1.19 is now available via

This release contains several security fixes.

The most serious of these is a cookie vulnerability if Jetty is deployed
behind a proxy or netscaler that can multiplex multiple users onto a single
connection.  In such circumstances, a crafted request could be assigned the
cookie values of a prior request. However the cookies are not revealed to the
client, so a consistent exploit would be difficult to create.
If you do not share connections between users, then you are not vulnerable
to this issue.

There is also a fix for a XSS vulnerability with exceptions thrown with
user supplied code in their messages. If you have a custom error handler or
turn of stack traces in the default error handler, then you are not vulnerable.

If running with alias support (not recommended), there is an additional check
to prevent trivial aliases revealing JSP source.

There are also several improvements and upgrades such as the latest cometd,
debian bundling, as well as several bug fixes.

jetty-6.1.19 1 July 2009
 + JETTY-799 shell script for jetty on cygwin
 + JETTY-863 Non blocking stats handler
 + JETTY-937 Further Improvements for sun JVM selector bugs
 + JETTY-970 BayeuxLoadGenerator latency handling
 + JETTY-1011 Grizzly uses queued thread pool
 + JETTY-1028 jetty:run plugin should check for the web.xml from the overlays if not found in src/main/webapp/WEB-INF/
 + JETTY-1029 Handle quoted cookie paths
 + JETTY-1031 Handle large pipeline
 + JETTY-1033 jetty-plus compiled with jdk1.5
 + JETTY-1034 Cookie parsing
 + JETTY-1037 reimplemented channel doRemove
 + JETTY-1040 jetty.client.HttpConnection does not handle non IOExceptions
 + JETTY-1042 Avoid cookie reuse on shared connection
 + JETTY-1044 add commons-daemon support as contrib/start-daemon module
 + JETTY-1045 Handle the case where request.PathInfo() should be "/*"
 + JETTY-1046 maven-jetty-jspc-plugin keepSources takes affect only in packageRoot
 + JETTY-1047 Cometd client can grow cookie headers
 + JETTY-1048 Default servlet can handle partially filtered large static content
 + JETTY-1049 Improved transparent proxy usability
 + JETTY-1054 Avoid double deploys
 + JETTY-1055 Cookie quoting
 + JETTY-1057 Error page stack trace XSS
 + JETTY-1058 Handle trailing / with aliases on
 + JETTY-1062 Don't filter cometd message without data

To unsubscribe from this list, please visit: