headers
Greg Wilkins | 24 Sep 2002 10:11
Gravatar

Release 4.1.0


The new stable release 4.1.0 is now available via http://jetty.mortbay.org

The 4.1.x series represents a refactoring of the Jetty architecture
to make it more suitable for the current servlet spec.  As such
Jetty 4.1.0 provides improvements in performance and compliance.

Jetty 4.1 also support many new features such as AJP13 integration.
While the new features do continue to stabilize, the core of
Jetty 4.1.0 has been stable and reliable for many months now.

4.1.0 also contains a priority security fix for the CGI servlet
running on windows platforms.  This remotely exploitable problem
effects all previous versions of Jetty that use the CGI servlet
on windows without a permissions file configured for the context.
The CGI servlet from 4.1.0 may be used in 4.0 releases.

Jetty-4.1.0 - 22 September 2002
  + Fixed CGI+windows security hole.
  + Fixed AJP13 handling of mod_jk loadbalancing.
  + Stop servlets in opposite order to start.
  + NCSARequest log buffered default
  + WEB-INF/classes before WEB-INF/lib
  + Sorted directory listings.
  + Handle unremovable tempdir.
  + Context Initparams to control session cookie domain, path and age.
  + ClientCertAuthenticator protected from null subjectDN
  + Added LimitedNCSARequestLog
  + Use javac -target 1.2 for normal classes
(Continue reading)

Permalink | Reply | 0 comments |
headers
Greg Wilkins | 30 Sep 2002 14:13
Gravatar

Release 4.1.1 (Security update)


Release 4.1.1 of Jetty is now available via http://jetty.mortbay.org

This release is motivated by the secuirty problem that was introduced
with the jasper2 JSP engine.   With a carefully crafted URL, it is
possible to send a request to Jetty 4.1.0RC4 to 4.1.0 that contains
javascript.   The javascript will be executed as if it originated from
the server, which can cause security problems if users have granted
security priviledges to javascript from that site.

The problem can be avoided by:
   + Disabling the JspServlet in webdefaults.xml
   + Rolling back to use a jasper1 jar from a Jetty-4.0.x release
   + Updating to the 4.1.1 release.

This release also contains a number of optimizations. The
most significant of these is the deprecation of the maxReadTimeMs
value for Listeners.  The maxIdleTimeMs is now used instead and
gains 5% to 10% by avoiding frequently changing socket attributes.

Jetty-4.1.1 - 30 September 2002
  + Fixed client scripting vulnerability with jasper2.
  + Merged LimitedNCSARequestLog into NCSARequestLog
  + Fixed space in resource name handling for jdk1.4
  + Moved launcher/src to src/org/mortbay/start
  + Fixed infinite recursion in JDBCUserRealm
  + Avoid setting sotimeout for optimization.
  + String comparison of If-Modified-Since headers.
  + Touch files when expanding jars
  + Deprecated maxReadTime.
(Continue reading)

Permalink | Reply | 0 comments |

Gmane