[
https://issues.apache.org/jira/browse/QPID-8502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17275980#comment-17275980
]
ASF subversion and git services commented on QPID-8502:
-------------------------------------------------------
Commit db08538acb4289828d3e738cebcf0be323bf3df0 in qpid-broker-j's branch
refs/heads/7.1.x from Dedeepya T
[ https://gitbox.apache.org/repos/asf?p=qpid-broker-j.git;h=db08538 ]
QPID-8502: Upgrade jetty version
This closes #79
> Upgrade jetty component version
> -------------------------------
>
> Key: QPID-8502
> URL: https://issues.apache.org/jira/browse/QPID-8502
> Project: Qpid
> Issue Type: Improvement
> Components: Broker-J
> Affects Versions: qpid-java-broker-8.0.3, qpid-java-broker-7.1.11
> Reporter: Dedeepya
> Priority: Major
>
> The below components are reported as vulnerabilities and need to be upgraded
> ||Component Name||Component Version||
> |org.eclipse.jetty:jetty-server| 9.4.31.v20200723|
> The above jetty package is vulnerable to HTTP Request Smuggling. If GZIP
> request body inflation is enabled and requests from different clients are
> multiplexed onto a single connection, and if an attacker can send a request
> with a body that is received entirely but not consumed by the application,
> then a subsequent request on the same connection will see that body prepended
> to its body. The attacker will not see any data but may inject data into the
> body of the subsequent request.
> [https://ssap.jpmchase.net:9093/dashboard/vulnerabilities?id=31463-IBTAMQ-qpid-broker-jpmc_20210122095421]
> This affects the broker and we need to upgrade the jetty version.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
