Bunch of jetty upgrades

exasol · Oct 21, 2024 · e14f7b1 · e14f7b1
1 parent 4614d7a
commit e14f7b1
Show file tree

Hide file tree

Showing 3 changed files with 117 additions and 96 deletions.
diff --git a/dependencies.md b/dependencies.md
diff --git a/doc/changes/changes_1.7.8.md b/doc/changes/changes_1.7.8.md
@@ -4,9 +4,9 @@ Code name:
 
 ## Summary
 
-## Features
+## Security
 
-* ISSUE_NUMBER: description
+* #106: CVE-2024-47561: org.apache.avro:avro:jar:1.11.3:compile
 
 ## Dependency Updates
 
@@ -15,3 +15,9 @@ Code name:
 #### Compile Dependency Updates
 
 * Updated `org.apache.avro:avro:1.11.3` to `1.11.4`
+
+#### Test Dependency Updates
+
+* Updated `org.eclipse.jetty.http2:http2-server:9.4.54.v20240208` to `11.0.24`
+* Added `org.eclipse.jetty:jetty-http:12.0.14`
+* Added `org.eclipse.jetty:jetty-servlets:11.0.24`
diff --git a/pom.xml b/pom.xml
@@ -218,10 +218,24 @@
             <scope>test</scope>
         </dependency>
         <dependency>
-            <!-- Upgrade transitive dependency org.eclipse.jetty.http2:http2-common of io.github.embeddedkafka:embedded-kafka-schema-registry_2.13 to fix CVE-2024-22201 -->
+            <!-- Upgrade transitive dependency org.eclipse.jetty.http2:http2-common of io.github.embeddedkafka:embedded-kafka-schema-registry_2.13 to fix CVE-2024-22201, CVE-2023-36479, CVE-2024-9823, CVE-2024-6762 and CVE-2024-8184  -->
             <groupId>org.eclipse.jetty.http2</groupId>
             <artifactId>http2-server</artifactId>
-            <version>9.4.54.v20240208</version>
+            <version>11.0.24</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <!-- Upgrade to fix CVE-2024-6763 -->
+            <groupId>org.eclipse.jetty</groupId>
+            <artifactId>jetty-http</artifactId>
+            <version>12.0.14</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <!-- Upgrade to fix CVE-2024-6762 and CVE-2024-9823 -->
+            <groupId>org.eclipse.jetty</groupId>
+            <artifactId>jetty-servlets</artifactId>
+            <version>11.0.24</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -463,8 +477,6 @@
                 <artifactId>ossindex-maven-plugin</artifactId>
                 <configuration>
                     <excludeVulnerabilityIds>
-                        <!-- org.eclipse.jetty:jetty-servlets:jar:9.4.51.v20230217:test -->
-                        <exclude>CVE-2023-36479</exclude>
                     </excludeVulnerabilityIds>
                 </configuration>
             </plugin>