Jetty Vulnerability CVE-2023-36478 and CVE-2023-40167

[halprin]

Jetty 11.0.15 has two vulnerabilities open against it. This is the version that Javalin 5.6.2 depends on.

• CVE-2023-36478
• CVE-2023-40167

Jetty has fixed both of these vulnerabilities in version 11.0.16. Can we release a new Javalin 5 version that uses at least version 11.0.16 of Jetty?

[dzikoysk]

Sure, would you like to submit a PR? As far as I remember, @zugazagoitia checked that we were not affected by this, but it's good to keep Jetty up-to-date anyway :)

Edit: By the way, there's already an v11.0.17, so I guess we should use that one.

[halprin]

Oh sure, happy to! I notice that the master branch already has 11.0.16 in it (albeit 11.0.17 has been released), but the javalin-5x branch is still using 11.0.15. Not sure what it takes to get that update moved over to the javalin-5x branch, if I should open a PR directly against the javalin-5x branch, or what the general branching strategy is.

[dzikoysk]

Yup, just open the new PR for 5.x :) We don't really care about syncing 5.x with 6.x at this point, especially that we'll probably replace Jetty 11 with 12 before the 6.x release.

[halprin]

Perfect, will do!

[halprin]

Done. I created a PR against the javalin-5x branch.

[dzikoysk]

Thanks, now we have to wait for @tipsy :) He's currently slightly busy due to business trip, but it should be merged in the upcoming days.

[zugazagoitia]

Sure, would you like to submit a PR? As far as I remember, @zugazagoitia checked that we were not affected by this, but it's good to keep Jetty up-to-date anyway :)

Edit: By the way, there's already an v11.0.17, so I guess we should use that one.

These are both new CVEs, we're affected by both of them.
There's ANOTHER (CVE-2023-44487) extra vulnerability addressed in 11.0.17. I was just about to PR this now 😅