Hi, I'd like to mitigate my previous "there are no real security issues" to something such "there are no real security issues per default" BUT as long as a user activates http2 there will be a security issue see https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j I think it still worth to have this in the LTS as we don;t want to have immediately Jetty 10 in LTS.
On Fri, 5 Aug 2022 at 19:14, Tim Jacomb <timjaco...@gmail.com> wrote: > Hello > > 2.361 has been selected as the next baseline > > Thanks > Tim > > On Tue, 2 Aug 2022 at 23:43, Olivier Lamy <oliver.l...@gmail.com> wrote: > >> As explained in the PR there are no real security issues but some >> companies using scanners may have to live a long time with alarms etc... >> And they don't have any "safe" (by "safe" I mean CVEs free :)) solution >> to upgrade before the version with Jetty 10.0.11 land into LTS (and I do >> not mention companies who are not ready yet to upgrade to java 11) >> anyway no big drama here I was just thinking as solution to help >> users/companies with strict restrictions. >> This may not happen and we cannot support old versions forever but as >> long as we have a LTS with java 8 there can be some need for it. >> >> On Wed, 3 Aug 2022 at 08:17, Basil Crow <m...@basilcrow.com> wrote: >> >>> Are we talking about the version of Jetty to be shipped in 2.346.3 or >>> the version of Jetty to be shipped in 2.361.1? >>> >>> 2.361.1 is far enough away that I would be in favor of a backport of >>> Jetty 10.0.11, once it has been in the weekly release for a week or >>> two without serious regressions. This would not require us to make any >>> exception to the usual rules. >>> >>> For 2.346.3 I am not sure there is a need to do any Jetty backporting, >>> but I would be willing to discuss it if there was a need. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Jenkins Developers" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to jenkinsci-dev+unsubscr...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jenkinsci-dev/CAFwNDjpcek4uaLV3WqGV%2Bgt5ncvJdXyT9ZwfNCA-P152OtqkSg%40mail.gmail.com >>> . >>> >> >> >> -- >> Olivier Lamy >> http://twitter.com/olamy | http://linkedin.com/in/olamy >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to jenkinsci-dev+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/CAPoyBqQ%3DRDT3ot0MaRFJW%2BMWSs54vnphj6SS_J73RhhQ4iyH_Q%40mail.gmail.com >> <https://groups.google.com/d/msgid/jenkinsci-dev/CAPoyBqQ%3DRDT3ot0MaRFJW%2BMWSs54vnphj6SS_J73RhhQ4iyH_Q%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-dev+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BifZ4i65SNZj%2B0N%2B78pokLF%3DD_2uV0ATtKP4y3jKy7u1Sg%40mail.gmail.com > <https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BifZ4i65SNZj%2B0N%2B78pokLF%3DD_2uV0ATtKP4y3jKy7u1Sg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- Olivier Lamy http://twitter.com/olamy | http://linkedin.com/in/olamy -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPoyBqR6%2BSVB%3DGzoxoic0hA0ZUWfNNmZqCuDUVX2GO5Y%2BSmqVA%40mail.gmail.com.
