-
Notifications
You must be signed in to change notification settings - Fork 790
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
http4s 0.22
: Add support for Jetty 12
to address CVE-2024-6763
#7578
Comments
kevin-lee
added a commit
to kevin-lee/http4s
that referenced
this issue
Nov 12, 2024
- Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority). - http4s 0.22's http4s-jetty uses Jetty 9. - Jetty 9's community support ended in June 2022. - Community support for Jetty 10 and Jetty 11 ended in January 2024. - To solve the issue, http4s should use Jetty 12, the current stable version. - Updating the 0.22 version is for those who cannot use 0.23 as they are inextricably bound to cats-effect 2. - Jetty 12 requires Java 17, so dropping support for Java 8 and 11 is necessary. - Jetty has multiple versions supporting different versions of Jakarta EE (Java EE), but support for only Jakarta EE 8 is added to minimize changes, as the API namespace moved from javax to jakarta starting with Jakarta EE 9.
kevin-lee
added a commit
to kevin-lee/http4s
that referenced
this issue
Nov 12, 2024
- Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority). - http4s 0.22's http4s-jetty uses Jetty 9. - Jetty 9's community support ended in June 2022. - Community support for Jetty 10 and Jetty 11 ended in January 2024. - To solve the issue, http4s should use Jetty 12, the current stable version. - Updating the 0.22 version is for those who cannot use 0.23 as they are inextricably bound to cats-effect 2. - Jetty 12 requires Java 17, so dropping support for Java 8 and 11 is necessary. - Jetty has multiple versions supporting different versions of Jakarta EE (Java EE), but support for only Jakarta EE 8 is added to minimize changes, as the API namespace moved from javax to jakarta starting with Jakarta EE 9.
kevin-lee
added a commit
to kevin-lee/http4s
that referenced
this issue
Nov 12, 2024
- Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority). - http4s 0.22's http4s-jetty uses Jetty 9. - Jetty 9's community support ended in June 2022. - Community support for Jetty 10 and Jetty 11 ended in January 2024. - To solve the issue, http4s should use Jetty 12, the current stable version. - Updating the 0.22 version is for those who cannot use 0.23 as they are inextricably bound to cats-effect 2. - Jetty 12 requires Java 17, so dropping support for Java 8 and 11 is necessary. - Jetty has multiple versions supporting different versions of Jakarta EE (Java EE), but support for only Jakarta EE 8 is added to minimize changes, as the API namespace moved from javax to jakarta starting with Jakarta EE 9.
kevin-lee
changed the title
http4s
http4s Nov 13, 2024
0.22
: Support Jetty 12
0.22
: Add support for Jetty 12
to address CVE-2024-6763
kevin-lee
added a commit
to kevin-lee/http4s
that referenced
this issue
Nov 13, 2024
…ss `CVE-2024-6763` - Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority). - http4s 0.22's http4s-jetty uses Jetty 9. - Jetty 9's community support ended in June 2022. - Community support for Jetty 10 and Jetty 11 ended in January 2024. - To solve the issue, http4s should use Jetty 12, the current stable version. - Updating the 0.22 version is for those who cannot use 0.23 as they are inextricably bound to cats-effect 2. - Jetty 12 requires Java 17, so dropping support for Java 8 and 11 is necessary. - Jetty has multiple versions supporting different versions of Jakarta EE (Java EE), but support for only Jakarta EE 8 is added to minimize changes, as the API namespace moved from `javax` to `jakarta` starting with Jakarta EE 9.
Http4s 0.22 is EOL #6334 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
http4s
0.22
: Add support for Jetty12
to addressCVE-2024-6763
Why?
0.22
'shttp4s-jetty
uses Jetty 9.12
, the current stable version.Why Not Update http4s 0.23?
cats-effect
2
.cats-effect
to3
?Any Other Things to Know?
javax
tojakarta
starting with Jakarta EE 9.NOTE:
I've been working on it, and it seems to be working. I will do the same for http4s-jetty as well.
The text was updated successfully, but these errors were encountered: