Fix CVE-2024-6762

(cherry picked from commit 67f568f26c313f06108f65fa54970dcd4d32fabb)
2024-11-05 20:04:39 +08:00 · 2024-11-05 20:04:39 +08:00 · 7cf09c0a75
commit 7cf09c0a75
parent a0dbfd0842
2 changed files with 65 additions and 1 deletions
--- a/CVE-2024-6762.patch
+++ b/CVE-2024-6762.patch
@ -0,0 +1,60 @@
 From c9fb33ab85959921ff3183311587af02772dda89 Mon Sep 17 00:00:00 2001
 From: Lachlan Roberts <lachlan@webtide.com>
 Date: Mon, 1 May 2023 14:40:35 +1000
 Subject: [PATCH 1/2] deprecate PushSessionCacheFilter
 Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
 ---
 .../java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java  | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java
 index 4fa0ea1028cb..9950dce98bda 100644
 --- a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java
 +++ b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java
@@ -41,6 +41,7 @@
 import org.eclipse.jetty.util.log.Log;
 import org.eclipse.jetty.util.log.Logger;
 +@Deprecated
 public class PushSessionCacheFilter implements Filter
 {
     private static final String TARGET_ATTR = "PushCacheFilter.target";
 From 2588cedddca989b6b96e6954ae6e8fc8f3e1c487 Mon Sep 17 00:00:00 2001
 From: Lachlan Roberts <lachlan@webtide.com>
 Date: Tue, 2 May 2023 12:02:12 +1000
 Subject: [PATCH 2/2] update javadoc and add log warning message for
 PushSessionCacheFilter
 Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
 ---
 .../eclipse/jetty/servlets/PushSessionCacheFilter.java    | 8 ++++++++
 1 file changed, 8 insertions(+)
 diff --git a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java
 index 9950dce98bda..81b85cb2b85e 100644
 --- a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java
 +++ b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java
@@ -41,6 +41,9 @@
 import org.eclipse.jetty.util.log.Log;
 import org.eclipse.jetty.util.log.Logger;
 +/**
 + * @deprecated no replacement for this deprecated http feature
 + */
 @Deprecated
 public class PushSessionCacheFilter implements Filter
 {
@@ -50,6 +53,11 @@ public class PushSessionCacheFilter implements Filter
     private final ConcurrentMap<String, Target> _cache = new ConcurrentHashMap<>();
     private long _associateDelay = 5000L;
 +    public PushSessionCacheFilter()
 +    {
 +        LOG.warn(PushSessionCacheFilter.class.getSimpleName() + " is an example class not suitable for production.");
 +    }
 +
     @Override
     public void init(FilterConfig config) throws ServletException
     {
--- a/jetty.spec
+++ b/jetty.spec
@ -12,7 +12,7 @@
 %bcond_with     jp_minimal
 Name:                jetty
 Version:             9.4.16
-Release:             7
+Release:             8
 Summary:             Java Webserver and Servlet Container
 License:             Apache-2.0 OR EPL-1.0
 URL:                 http://www.eclipse.org/jetty/
@ -32,6 +32,7 @@ Patch7:              CVE-2023-26048.patch
 Patch8:              CVE-2023-26049.patch
 Patch9:              CVE-2023-36479.patch
 Patch10:             CVE-2023-40167.patch
 Patch11:             CVE-2024-6762.patch
 BuildRequires:       maven-local mvn(javax.servlet:javax.servlet-api) < 4.0.0
 BuildRequires:       mvn(org.apache.felix:maven-bundle-plugin)
@ -800,6 +801,9 @@ exit 0
 %license LICENSE NOTICE.txt LICENSE-MIT
 %changelog
 * Tue Nov 05 2024 yaoxin <yao_xin001@hoperun.com> - 9.4.16-8
 - Fix CVE-2024-6762
 * Tue Oct 15 2024 wangkai <13474090681@163.com> - 9.4.16-7
 - Fix CVE-2023-26048,CVE-2023-26049,CVE-2023-36479,CVE-2023-40167