diff --git a/0001-fix-CVE-2024-6762.patch b/0001-fix-CVE-2024-6762.patch new file mode 100644 index 0000000000000000000000000000000000000000..f0e86e73fdd46ee806dadbd009bf146d34a71bc7 --- /dev/null +++ b/0001-fix-CVE-2024-6762.patch @@ -0,0 +1,24 @@ +From c9fb33ab85959921ff3183311587af02772dda89 Mon Sep 17 00:00:00 2001 +From: Lachlan Roberts +Date: Fri, 11 Oct 2024 00:40:06 +0800 +Subject: [PATCH] fix CVE-2024-6762 + +--- + .../java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java +index 8e73a17..32df129 100644 +--- a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java ++++ b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java +@@ -42,6 +42,7 @@ import org.eclipse.jetty.server.Response; + import org.eclipse.jetty.util.log.Log; + import org.eclipse.jetty.util.log.Logger; + ++@Deprecated + public class PushSessionCacheFilter implements Filter + { + private static final String TARGET_ATTR = "PushCacheFilter.target"; +-- +2.43.0 + diff --git a/0002-fix-CVE-2024-6762.patch b/0002-fix-CVE-2024-6762.patch new file mode 100644 index 0000000000000000000000000000000000000000..bf81fc628fcf09faebfbd8f341656fb02677cba5 --- /dev/null +++ b/0002-fix-CVE-2024-6762.patch @@ -0,0 +1,38 @@ +From 2588cedddca989b6b96e6954ae6e8fc8f3e1c487 Mon Sep 17 00:00:00 2001 +From: Lachlan Roberts +Date: Fri, 11 Oct 2024 00:57:36 +0800 +Subject: [PATCH] fix-CVE-2024-6762 + +--- + .../eclipse/jetty/servlets/PushSessionCacheFilter.java | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java +index 32df129..f539fae 100644 +--- a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java ++++ b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java +@@ -42,6 +42,9 @@ import org.eclipse.jetty.server.Response; + import org.eclipse.jetty.util.log.Log; + import org.eclipse.jetty.util.log.Logger; + ++/** ++ * @deprecated no replacement for this deprecated http feature ++ */ + @Deprecated + public class PushSessionCacheFilter implements Filter + { +@@ -51,6 +54,11 @@ public class PushSessionCacheFilter implements Filter + private final ConcurrentMap _cache = new ConcurrentHashMap<>(); + private long _associateDelay = 5000L; + ++ public PushSessionCacheFilter() ++ { ++ LOG.warn(PushSessionCacheFilter.class.getSimpleName() + " is an example class not suitable for production."); ++ } ++ + @Override + public void init(FilterConfig config) throws ServletException + { +-- +2.43.0 + diff --git a/jetty.spec b/jetty.spec index d816ae26aaffde00cee84d481647363c562cbb10..be668a25e70c40e80de13e21dfb7203a1a523ee1 100644 --- a/jetty.spec +++ b/jetty.spec @@ -12,7 +12,7 @@ %bcond_with jp_minimal Name: jetty Version: 9.4.16 -Release: 7 +Release: 8 Summary: Java Webserver and Servlet Container License: Apache-2.0 OR EPL-1.0 URL: http://www.eclipse.org/jetty/ @@ -32,6 +32,8 @@ Patch7: CVE-2023-26048.patch Patch8: CVE-2023-26049.patch Patch9: CVE-2023-36479.patch Patch10: CVE-2023-40167.patch +Patch11: 0001-fix-CVE-2024-6762.patch +Patch12: 0002-fix-CVE-2024-6762.patch BuildRequires: maven-local mvn(javax.servlet:javax.servlet-api) < 4.0.0 BuildRequires: mvn(org.apache.felix:maven-bundle-plugin) @@ -800,6 +802,9 @@ exit 0 %license LICENSE NOTICE.txt LICENSE-MIT %changelog +* Tue Oct 15 2024 changtao - 9.4.16-8 +- Fix CVE-2024-6762 + * Tue Oct 15 2024 wangkai <13474090681@163.com> - 9.4.16-7 - Fix CVE-2023-26048,CVE-2023-26049,CVE-2023-36479,CVE-2023-40167