Please upgrade Jetty to newer version

perwendel / spark

A simple expressive web framework for java. Spark has a kotlin DSL https://github.com/perwendel/spark-kotlin

Apache License 2.0

9.64k stars 1.56k forks source link

Please upgrade Jetty to newer version #1145

Open ludoch opened 4 years ago

ludoch commented 4 years ago

It seems that I am facing the Jetty bug https://github.com/eclipse/jetty.project/issues/3630 on Google App Engine Java11 runtime, so it would be nice to have a newer release with the update so that App Engine customers can run SpakJava.

ludoch commented 4 years ago

As a workaround, we can do for now:

    <dependency>
      <groupId>com.sparkjava</groupId>
      <artifactId>spark-core</artifactId>
      <version>2.9.1</version>
      <exclusions>
        <exclusion>
          <groupId>org.eclipse.jetty</groupId>
          <artifactId>jetty-util</artifactId>
        </exclusion>
      </exclusions>
    </dependency>
    <dependency>
      <groupId>org.eclipse.jetty</groupId>
      <artifactId>jetty-util</artifactId>
      <version>9.4.20.v20190813</version>
    </dependency>

whodevil commented 3 years ago

Was there any movement on this? OWASP dependencyCheck is flagging the version of jetty as vulnerable. My team has excluded jetty from the transitive dependency and are depending directly on a newer version of jetty.

https://nvd.nist.gov/vuln/detail/CVE-2021-28165 https://nvd.nist.gov/vuln/detail/CVE-2020-27216

I should note we are seeing this on spark 2.9.3. It is pulling in jetty 9.4.31.