Response header overflow bug in Jetty

ring-clojure / ring

Clojure HTTP server abstraction

MIT License

3.75k stars 519 forks source link

Response header overflow bug in Jetty #411

Closed mourjo closed 4 years ago

mourjo commented 4 years ago

Not sure if this has already been reported but there is a security advisory on a bug in Jetty which Ring's Jetty adapter is using: https://github.com/advisories/GHSA-x3rh-m7vp-35f2

It affects versions >= 9.4.27, < 9.4.30.v20200611 and Ring's 1.8.1 version uses 9.4.28.v20200408. Issue in Jetty: https://github.com/eclipse/jetty.project/issues/4936

weavejester commented 4 years ago

I've updated the dependency, and I'll release a patch version of Ring. Thanks for the report.

kjothen commented 3 years ago

Hi James - as per the above, please could you release a patch version of Ring? It would help get the ball rolling for the many libraries that depend upon it. Thanks!