From 8ac88f433fe7bffaf09dfc93838bbde908400738 Mon Sep 17 00:00:00 2001
From: Zile Yao <yaozile@xfusion.com>
Date: Wed, 20 Dec 2023 17:03:14 +0800
Subject: [PATCH] Fix CVE-2023-36479

Signed-off-by: Zile Yao <yaozile@xfusion.com>
---
 CVE-2023-36479.patch | 50 ++++++++++++++++++++++++++++++++++++++++++++
 jetty.spec           |  6 +++++-
 2 files changed, 55 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-36479.patch

diff --git a/CVE-2023-36479.patch b/CVE-2023-36479.patch
new file mode 100644
index 0000000..ad0540a
--- /dev/null
+++ b/CVE-2023-36479.patch
@@ -0,0 +1,50 @@
+From a244a09c58b5494f48375f3a38041178893d2b4c Mon Sep 17 00:00:00 2001
+From: Zile Yao <yaozile@xfusion.com>
+Date: Wed, 20 Dec 2023 06:29:12 -0500
+Subject: [PATCH] cve
+
+Signed-off-by: Zile Yao <yaozile@xfusion.com>
+---
+ .../src/main/java/org/eclipse/jetty/servlets/CGI.java         |  3 +++
+ .../test-jetty-webapp/src/main/webapp/WEB-INF/web.xml         | 11 -----------
+ 2 files changed, 3 insertions(+), 11 deletions(-)
+
+diff --git a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/CGI.java b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/CGI.java
+index 6322290..55d8f9a 100644
+--- a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/CGI.java
++++ b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/CGI.java
+@@ -67,7 +67,10 @@ import org.eclipse.jetty.util.log.Logger;
+  * <dt>ignoreExitState</dt>
+  * <dd>If true then do not act on a non-zero exec exit status")</dd>
+  * </dl>
++ *
++ * @deprecated do not use, no replacement, will be removed in a future release.
+  */
++@Deprecated
+ public class CGI extends HttpServlet
+ {
+     private static final long serialVersionUID = -6182088932884791074L;
+diff --git a/tests/test-webapps/test-jetty-webapp/src/main/webapp/WEB-INF/web.xml b/tests/test-webapps/test-jetty-webapp/src/main/webapp/WEB-INF/web.xml
+index 507771f..978595f 100644
+--- a/tests/test-webapps/test-jetty-webapp/src/main/webapp/WEB-INF/web.xml
++++ b/tests/test-webapps/test-jetty-webapp/src/main/webapp/WEB-INF/web.xml
+@@ -122,17 +122,6 @@
+   </servlet-mapping>
+
+   <servlet>
+-    <servlet-name>CGI</servlet-name>
+-    <servlet-class>org.eclipse.jetty.servlets.CGI</servlet-class>
+-    <load-on-startup>1</load-on-startup>
+-  </servlet>
+-
+-  <servlet-mapping>
+-    <servlet-name>CGI</servlet-name>
+-    <url-pattern>/cgi-bin/*</url-pattern>
+-  </servlet-mapping>
+-
+-  <servlet>
+     <servlet-name>Chat</servlet-name>
+     <servlet-class>com.acme.ChatServlet</servlet-class>
+     <load-on-startup>1</load-on-startup>
+--
+1.8.3.1
diff --git a/jetty.spec b/jetty.spec
index 91c7e6e..0262270 100644
--- a/jetty.spec
+++ b/jetty.spec
@@ -12,7 +12,7 @@
 %bcond_with     jp_minimal
 Name:                jetty
 Version:             9.4.16
-Release:             4
+Release:             5
 Summary:             Java Webserver and Servlet Container
 License:             ASL 2.0 or EPL-1.0 or EPL-2.0
 URL:                 http://www.eclipse.org/jetty/
@@ -28,6 +28,7 @@ Patch3:              CVE-2021-28169.patch
 Patch4:              CVE-2021-34428.patch
 Patch5:              CVE-2022-2047.patch
 Patch6:              CVE-2022-2048.patch
+Patch7:              CVE-2023-36479.patch
 
 BuildRequires:       maven-local mvn(javax.servlet:javax.servlet-api) < 4.0.0
 BuildRequires:       mvn(org.apache.felix:maven-bundle-plugin)
@@ -796,6 +797,9 @@ exit 0
 %license LICENSE NOTICE.txt LICENSE-MIT
 
 %changelog
+* Wed Dec 20 2023 ZileYao <yaozile@xfusion.com> - 9.4.16-5
+- Fix CVE-2023-36479
+
 * Mon May 29 2023 yaoxin <yao_xin001@hoperun.com> - 9.4.16-4
 - Fix eclipse-jgit build failure in EBS
 
-- 
Gitee