Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE-2024-6763 #12532

Merged
merged 1 commit into from
Nov 14, 2024
Merged

Fix CVE-2024-6763 #12532

merged 1 commit into from
Nov 14, 2024

Conversation

gregw
Copy link
Contributor

@gregw gregw commented Nov 13, 2024

Back port the fix for CVE-2024-6763.

Better validation of authority in HttpURI. No known exploits.

@gregw
Fix CVE-2024-6763
ee3d9bf 
Back port the fix for [CVE-2024-6763](GHSA-qh8g-58pp-2wxh).

Better validation of authority in HttpURI.  No known exploits.
joakime
joakime approved these changes Nov 14, 2024
View reviewed changes
jetty-http/src/main/java/org/eclipse/jetty/http/HttpComplianceSection.java
@@ -36,6 +36,7 @@ public enum HttpComplianceSection
NO_AMBIGUOUS_PATH_SEPARATORS("https://tools.ietf.org/html/rfc3986#section-3.3", "No ambiguous URI path separators"),
NO_AMBIGUOUS_PATH_PARAMETERS("https://tools.ietf.org/html/rfc3986#section-3.3", "No ambiguous URI path parameters"),
NO_UTF16_ENCODINGS("https://www.w3.org/International/iri-edit/draft-duerst-iri.html#anchor29", "UTF16 encoding"),
NO_USER_INFO("https://datatracker.ietf.org/doc/html/rfc9110#name-deprecation-of-userinfo-in-", "User info in authority"),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Weird place for this, but oh well, it is Jetty 9.x ...

@gregw gregw merged commit db8bb7a into jetty-9.4.x Nov 14, 2024
7 checks passed
@gregw gregw deleted the fix/CVE-2024-6763/BadAuthority branch November 14, 2024 06:09
@m-jin
Copy link

m-jin commented Nov 25, 2024

Hi, do we know when this fix will be released?

@gregw
Copy link
Contributor Author

gregw commented Nov 25, 2024

Hi, do we know when this fix will be released?

Jetty-9.4 is end-of-open-support, so the timing of the release will depend on our commercial clients. Having said that, we typically start release cycles at the end of the month, with releases available early in the next month (although thanksgiving might put us back a week this month). So it is plausible that it will be released in the next few weeks. Note that the jetty server itself is in no way vulnerable, it is only if you are using jetty classes as a library. This back port was more about silencing reporting tools rather than fixing an actual vulnerability

@lachlan-roberts lachlan-roberts added the Sponsored This issue affects a user with a commercial support agreement label Dec 9, 2024
@HTHou HTHou mentioned this pull request Jan 21, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joakime joakime joakime approved these changes

@lachlan-roberts lachlan-roberts lachlan-roberts approved these changes

Assignees
No one assigned
Labels
Sponsored This issue affects a user with a commercial support agreement
Projects
No open projects
Jetty 9.4.57 (FROZEN)
Status: ✅ Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@gregw @m-jin @joakime @lachlan-roberts