Bump org-eclipse-jetty from 11.0.15 to 11.0.16

[dependabot]

Bumps org-eclipse-jetty from 11.0.15 to 11.0.16.
Updates org.eclipse.jetty:jetty-server from 11.0.15 to 11.0.16

Release notes

Sourced from org.eclipse.jetty:jetty-server's releases.

11.0.16

Security Updates

This release addresses:

• GHSA-58qw-p7qm-5rvh - provides a workaround for direct users of XmlParser
• CVE-2023-40167
• CVE-2023-36479
• CVE-2023-41900

Special Thanks to the following Eclipse Jetty community members

• @​strogiyotec (Almas Abdrazak)
• @​huisongma (huisongma)
• @​garydgregory (Gary Gregory)

Changelog

• #10397 - Iso88591StringBuilder.append seems to have a logic error
• #10388 - Jetty10 inetaccess mod started error
• #10352 - Jetty accepts "+" prefixed value in Content-Length (CVE-2023-40167)
• #10329 - Various cleanups in HttpParser
• #10271 - jetty.sh does not stop jetty anymore
• #10211 - NPE in ArrayByteBufferPool.findOldestEntry()
• #10176 - cleanups of DateCache
• #10160 - Verify PROXY_AUTHENTICATION is sent to forward proxies
• #10145 - WritePendingException over HTTP/2 tunnel
• #10143 - Startup fails due to IllegalArgumentException: Comparison method violates its general contract
• #10135 - Websocket: Using PerMessageDeflateExtension and flush in batchMode send FLUSH_FRAME to client.
• #10105 - Document that Request objects are not reusable
• #10086 - Revisiting ProxyConfiguration.getProxies()
• #10066 - Allow SAXParserFactory or SAXParser to be configured in Jetty's XmlParser class - Allows for GHSA-58qw-p7qm-5rvh workaround
• #9997 - No progress during Gzip Request Inflation results in bogus error
• #9947 - Cannot invoke "org.eclipse.jetty.io.ManagedSelector.getTotalKeys()" because "selector" is null (@​strogiyotec)
• #9938 - Bulletproof AbstractProxyServlet#destory() to make it easier to write (@​garydgregory)
• #9895 - A MessageTooLargeException doesn't close a WebSocket connection
• #9887 - Deprecate CGI Servlet (CVE-2023-36479)
• #9798 - review and cleanup of HTTP/3 QPACK Integer and String encoding
• #9777 - CrossOriginFilter does not return Vary header on no-cors mode
• #9761 - H3: Fix racy read from stream-less channel
• #9749 - HTTP/2 improvements.
• #9741 - Review of websocket parser, improve testing & comments.
• #9728 - Fixes to QPACK configuration from SETTINGS frames.
• #9715 - deprecate PushSessionCacheFilter
• #9685 - Jetty doesn't set the date header on error responses
• #9682 - RetainableByteBuffer buffer release bug in WebSocket
• #9554 - Move (qpack/hpack) HuffmanDecoder / HuffmanEncoder / NBitInteger* to common location
• #9476 - onCompleteFailure called multiple times
• #8926 - HttpClient GZIPContentDecoder should remove Content-Length and Content-Encoding: gzip
• #8556 - ServletContext.getSessionTimeout() incorrectly throws IllegalStateException

... (truncated)

Commits

• bedff45 Updating to version 11.0.16
• d3fbcaf Fixing release-jetty.sh script
• 99c049e Merge remote-tracking branch 'origin/jetty-10.0.x' into jetty-11.0.x
• 38cea26 Merge pull request #10400 from eclipse/jetty-10.0.x-inetaccessHandler
• d6320c4 fix checkstyle violation
• c3cf256 Merge remote-tracking branch 'origin/jetty-10.0.x' into jetty-11.0.x
• 3aaf39d Fix #10397 CharsetStringBuilder end vs length (#10399)
• b89398d Issue #10388 - add DistributionTest for InetAccessHandler
• 764c817 Issue #10388 - fix InetAccessHandler module
• cf97e58 Merged branch 'jetty-10.0.x' into 'jetty-11.0.x'.
• Additional commits viewable in compare view

Updates org.eclipse.jetty:jetty-servlet from 11.0.15 to 11.0.16

Release notes

Sourced from org.eclipse.jetty:jetty-servlet's releases.

11.0.16

Security Updates

This release addresses:

• GHSA-58qw-p7qm-5rvh - provides a workaround for direct users of XmlParser
• CVE-2023-40167
• CVE-2023-36479
• CVE-2023-41900

Special Thanks to the following Eclipse Jetty community members

• @​strogiyotec (Almas Abdrazak)
• @​huisongma (huisongma)
• @​garydgregory (Gary Gregory)

Changelog

• #10397 - Iso88591StringBuilder.append seems to have a logic error
• #10388 - Jetty10 inetaccess mod started error
• #10352 - Jetty accepts "+" prefixed value in Content-Length (CVE-2023-40167)
• #10329 - Various cleanups in HttpParser
• #10271 - jetty.sh does not stop jetty anymore
• #10211 - NPE in ArrayByteBufferPool.findOldestEntry()
• #10176 - cleanups of DateCache
• #10160 - Verify PROXY_AUTHENTICATION is sent to forward proxies
• #10145 - WritePendingException over HTTP/2 tunnel
• #10143 - Startup fails due to IllegalArgumentException: Comparison method violates its general contract
• #10135 - Websocket: Using PerMessageDeflateExtension and flush in batchMode send FLUSH_FRAME to client.
• #10105 - Document that Request objects are not reusable
• #10086 - Revisiting ProxyConfiguration.getProxies()
• #10066 - Allow SAXParserFactory or SAXParser to be configured in Jetty's XmlParser class - Allows for GHSA-58qw-p7qm-5rvh workaround
• #9997 - No progress during Gzip Request Inflation results in bogus error
• #9947 - Cannot invoke "org.eclipse.jetty.io.ManagedSelector.getTotalKeys()" because "selector" is null (@​strogiyotec)
• #9938 - Bulletproof AbstractProxyServlet#destory() to make it easier to write (@​garydgregory)
• #9895 - A MessageTooLargeException doesn't close a WebSocket connection
• #9887 - Deprecate CGI Servlet (CVE-2023-36479)
• #9798 - review and cleanup of HTTP/3 QPACK Integer and String encoding
• #9777 - CrossOriginFilter does not return Vary header on no-cors mode
• #9761 - H3: Fix racy read from stream-less channel
• #9749 - HTTP/2 improvements.
• #9741 - Review of websocket parser, improve testing & comments.
• #9728 - Fixes to QPACK configuration from SETTINGS frames.
• #9715 - deprecate PushSessionCacheFilter
• #9685 - Jetty doesn't set the date header on error responses
• #9682 - RetainableByteBuffer buffer release bug in WebSocket
• #9554 - Move (qpack/hpack) HuffmanDecoder / HuffmanEncoder / NBitInteger* to common location
• #9476 - onCompleteFailure called multiple times
• #8926 - HttpClient GZIPContentDecoder should remove Content-Length and Content-Encoding: gzip
• #8556 - ServletContext.getSessionTimeout() incorrectly throws IllegalStateException

... (truncated)

Commits

• bedff45 Updating to version 11.0.16
• d3fbcaf Fixing release-jetty.sh script
• 99c049e Merge remote-tracking branch 'origin/jetty-10.0.x' into jetty-11.0.x
• 38cea26 Merge pull request #10400 from eclipse/jetty-10.0.x-inetaccessHandler
• d6320c4 fix checkstyle violation
• c3cf256 Merge remote-tracking branch 'origin/jetty-10.0.x' into jetty-11.0.x
• 3aaf39d Fix #10397 CharsetStringBuilder end vs length (#10399)
• b89398d Issue #10388 - add DistributionTest for InetAccessHandler
• 764c817 Issue #10388 - fix InetAccessHandler module
• cf97e58 Merged branch 'jetty-10.0.x' into 'jetty-11.0.x'.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)