Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

http4s 0.22: Add support for Jetty 12 to address CVE-2024-6763 #7578

Open
kevin-lee opened this issue Nov 12, 2024 · 2 comments
Open

http4s 0.22: Add support for Jetty 12 to address CVE-2024-6763 #7578

kevin-lee opened this issue Nov 12, 2024 · 2 comments

Comments

@kevin-lee
Copy link
Contributor

kevin-lee commented Nov 12, 2024


http4s 0.22: Add support for Jetty 12 to address CVE-2024-6763

Why?

Why Not Update http4s 0.23?

Any Other Things to Know?

  • Jetty 12 requires Java 17, so dropping support for Java 8 and 11 is necessary.
  • Jetty has multiple versions supporting different versions of Jakarta EE (Java EE), but I only added support for Jakarta EE 8 to minimize changes, as the API namespace moved from javax to jakarta starting with Jakarta EE 9.

NOTE:

I've been working on it, and it seems to be working. I will do the same for http4s-jetty as well.

kevin-lee added a commit to kevin-lee/http4s that referenced this issue Nov 12, 2024
- Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority).
- http4s 0.22's http4s-jetty uses Jetty 9.
- Jetty 9's community support ended in June 2022.
- Community support for Jetty 10 and Jetty 11 ended in January 2024.
- To solve the issue, http4s should use Jetty 12, the current stable version.
- Updating the 0.22 version is for those who cannot use 0.23 as they are inextricably bound to cats-effect 2.
- Jetty 12 requires Java 17, so dropping support for Java 8 and 11 is necessary.
- Jetty has multiple versions supporting different versions of Jakarta EE (Java EE), but support for only Jakarta EE 8 is added to minimize changes, as the API namespace moved from javax to jakarta starting with Jakarta EE 9.
kevin-lee added a commit to kevin-lee/http4s that referenced this issue Nov 12, 2024
- Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority).
- http4s 0.22's http4s-jetty uses Jetty 9.
- Jetty 9's community support ended in June 2022.
- Community support for Jetty 10 and Jetty 11 ended in January 2024.
- To solve the issue, http4s should use Jetty 12, the current stable version.
- Updating the 0.22 version is for those who cannot use 0.23 as they are inextricably bound to cats-effect 2.
- Jetty 12 requires Java 17, so dropping support for Java 8 and 11 is necessary.
- Jetty has multiple versions supporting different versions of Jakarta EE (Java EE), but support for only Jakarta EE 8 is added to minimize changes, as the API namespace moved from javax to jakarta starting with Jakarta EE 9.
kevin-lee added a commit to kevin-lee/http4s that referenced this issue Nov 12, 2024
- Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority).
- http4s 0.22's http4s-jetty uses Jetty 9.
- Jetty 9's community support ended in June 2022.
- Community support for Jetty 10 and Jetty 11 ended in January 2024.
- To solve the issue, http4s should use Jetty 12, the current stable version.
- Updating the 0.22 version is for those who cannot use 0.23 as they are inextricably bound to cats-effect 2.
- Jetty 12 requires Java 17, so dropping support for Java 8 and 11 is necessary.
- Jetty has multiple versions supporting different versions of Jakarta EE (Java EE), but support for only Jakarta EE 8 is added to minimize changes, as the API namespace moved from javax to jakarta starting with Jakarta EE 9.
@kevin-lee kevin-lee changed the title http4s 0.22: Support Jetty 12 http4s 0.22: Add support for Jetty 12 to address CVE-2024-6763 Nov 13, 2024
kevin-lee added a commit to kevin-lee/http4s that referenced this issue Nov 13, 2024
…ss `CVE-2024-6763`

- Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority).
- http4s 0.22's http4s-jetty uses Jetty 9.
- Jetty 9's community support ended in June 2022.
- Community support for Jetty 10 and Jetty 11 ended in January 2024.
- To solve the issue, http4s should use Jetty 12, the current stable version.
- Updating the 0.22 version is for those who cannot use 0.23 as they are inextricably bound to cats-effect 2.
- Jetty 12 requires Java 17, so dropping support for Java 8 and 11 is necessary.
- Jetty has multiple versions supporting different versions of Jakarta EE (Java EE), but support for only Jakarta EE 8 is added to minimize changes, as the API namespace moved from `javax` to `jakarta` starting with Jakarta EE 9.
@arixmkii
Copy link
Contributor

Http4s 0.22 is EOL #6334

@kevin-lee
Copy link
Contributor Author

@arixmkii I understand that and explained the reason why I created this ticket above. Because it's EOL, I also provided the PR (#7579) to fix it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants