Skip to content

test(deps): update dependency org.eclipse.jetty:jetty-server to v9.4.56.v20240826 [security] - autoclosed#388

Closed
renovate-bot wants to merge 1 commit intogoogleapis:mainfrom
renovate-bot:renovate/maven-org.eclipse.jetty-jetty-server-vulnerability
Closed

test(deps): update dependency org.eclipse.jetty:jetty-server to v9.4.56.v20240826 [security] - autoclosed#388
renovate-bot wants to merge 1 commit intogoogleapis:mainfrom
renovate-bot:renovate/maven-org.eclipse.jetty-jetty-server-vulnerability

Conversation

@renovate-bot
Copy link
Contributor

@renovate-bot renovate-bot commented Oct 14, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.eclipse.jetty:jetty-server (source) 9.4.51.v20230217 -> 9.4.56.v20240826 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-8184

Impact

Remote DOS attack can cause out of memory

Description

There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which
can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By
repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the
server's memory.

Affected Versions

  • Jetty 12.0.0-12.0.8 (Supported)
  • Jetty 11.0.0-11.0.23 (EOL)
  • Jetty 10.0.0-10.0.23 (EOL)
  • Jetty 9.3.12-9.4.55 (EOL)

Patched Versions

  • Jetty 12.0.9
  • Jetty 11.0.24
  • Jetty 10.0.24
  • Jetty 9.4.56

Workarounds

Do not use ThreadLimitHandler.
Consider use of QoSHandler instead to artificially limit resource utilization.

References

Jetty 12 - https://github.com/jetty/jetty.project/pull/11723

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate-bot renovate-bot requested review from a team and gkevinzheng October 14, 2024 22:37
@trusted-contributions-gcf trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Oct 14, 2024
@product-auto-label product-auto-label bot added size: xs Pull request size is extra small. api: logging Issues related to the googleapis/java-logging-servlet-initializer API. labels Oct 14, 2024
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Oct 14, 2024
@product-auto-label product-auto-label bot added the stale: old Pull request is old and needs attention. label Nov 14, 2024
@product-auto-label product-auto-label bot added stale: extraold Pull request is critically old and needs prioritization. and removed stale: old Pull request is old and needs attention. labels Dec 14, 2024
@renovate-bot renovate-bot changed the title test(deps): update dependency org.eclipse.jetty:jetty-server to v9.4.56.v20240826 [security] test(deps): update dependency org.eclipse.jetty:jetty-server to v9.4.56.v20240826 [security] - autoclosed Jan 23, 2025
@renovate-bot renovate-bot deleted the renovate/maven-org.eclipse.jetty-jetty-server-vulnerability branch January 23, 2025 17:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gkevinzheng gkevinzheng Awaiting requested review from gkevinzheng

Assignees

@cindy-peng cindy-peng

Labels

api: logging Issues related to the googleapis/java-logging-servlet-initializer API. size: xs Pull request size is extra small. stale: extraold Pull request is critically old and needs prioritization.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@renovate-bot @yoshi-kokoro @cindy-peng