search

confluentinc / common

Common utilities library containing metrics, config and utils
Apache License 2.0
1 stars 241 forks source link

Downgrade jetty package #590

Closed shubh-ranade closed 3 months ago

shubh-ranade commented 4 months ago

Downgrade jetty to 9.4.53. The new version upgrade recently in #582 affects DoS filtering in rest-utils jetty server.

rest-utils changes: https://github.com/confluentinc/rest-utils/pull/478

cla-assistant[bot] commented 4 months ago

CLA assistant check
All committers have signed the CLA.

cla-assistant[bot] commented 4 months ago

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

janjwerner-confluent commented 4 months ago

Can you please downgrade only the servlets package in the rest-utils repository? jetty-server 9.4.53 is vulnerable high severity vulnerability: CVE-2023-44487

janjwerner-confluent commented 3 months ago

@shubh-ranade Can we close this PR as the alternative approach was taken?

trnguyencflt commented 3 months ago

Close this as we have decided with alternate approach