Jetty vulnerability issue CVE-2020-27223

[javicg]

There is a security vulnerability on the Jetty server, related to the consumption of Accept headers that could lead to DoS

It looks like the Eclipse foundation already released a newer version of the server: https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.37.v20210219

The latest patch for 9.4 is jetty-9.4.38.v20210224

Would it be possible to release a new version of the Ring after the version update?

Related links:

• CVE-2020-27223
• GitHub Advisory

[weavejester]

From a brief reading of the affected systems in Jetty, it seems like this won't affect Ring except for applications that fall back on the default Jetty error handler. However, it's certainly better to be safe than sorry, so I'll push out a new patch release.

[javicg]

Much appreciated! Thanks for replying so quickly.

Looking forward to the update.

[weavejester]

I should also add that until the update is deployed you can still update the Jetty dependency independently to Ring.