Vulnerable Jetty Dependency

[dbrrr]

Hey folks!

lein-nvd reports vulnerabilities in Jetty, which is a dependency used by the http-client:

[com.cognitect.aws/api "0.8.539" :exclusions [[org.clojure/data.json] 
  [com.cognitect/http-client "1.0.110"]
     [org.eclipse.jetty/jetty-client "9.4.44.v20210927"]
       [org.eclipse.jetty/jetty-io "9.4.44.v20210927"]

The CVEs are listed as follows:

+---------------------------------+---------------+
| dependency                      | status        |
+---------------------------------+---------------+
| jetty-http-9.4.44.v20210927.jar | CVE-2022-2047 |
| jetty-io-9.4.44.v20210927.jar   | CVE-2022-2191 |
+---------------------------------+---------------+

With accompanying links: CVE-2022-2047 CVE-2022-2191

The issues both seem to span a range of releases: In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions

So a fix with minimal changes may be to bump to 9.4.48.v20220622, although the current version is at 11.0.11

[dchelimsky]

This is fixed in main, but not yet released. I'll have a release out today or Monday with this fix. cc @MageMasher

[dchelimsky]

Released in version com.cognitect.aws/api-0.8.575

[dbrrr]

Thank you!! 🙏