Fix CVE-2024-6762

(cherry picked from commit 67f568f26c313f06108f65fa54970dcd4d32fabb)

CVE-2024-6762.patch

@@ -0,0 +1,60 @@
+From c9fb33ab85959921ff3183311587af02772dda89 Mon Sep 17 00:00:00 2001
+From: Lachlan Roberts <lachlan@webtide.com>
+Date: Mon, 1 May 2023 14:40:35 +1000
+Subject: [PATCH 1/2] deprecate PushSessionCacheFilter
+
+Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
+---
+ .../java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java  | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java
+index 4fa0ea1028cb..9950dce98bda 100644
+--- a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java
++++ b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java
+@@ -41,6 +41,7 @@
+ import org.eclipse.jetty.util.log.Log;
+ import org.eclipse.jetty.util.log.Logger;
+ 
++@Deprecated
+ public class PushSessionCacheFilter implements Filter
+ {
+     private static final String TARGET_ATTR = "PushCacheFilter.target";
+
+From 2588cedddca989b6b96e6954ae6e8fc8f3e1c487 Mon Sep 17 00:00:00 2001
+From: Lachlan Roberts <lachlan@webtide.com>
+Date: Tue, 2 May 2023 12:02:12 +1000
+Subject: [PATCH 2/2] update javadoc and add log warning message for
+ PushSessionCacheFilter
+
+Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
+---
+ .../eclipse/jetty/servlets/PushSessionCacheFilter.java    | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java
+index 9950dce98bda..81b85cb2b85e 100644
+--- a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java
++++ b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/PushSessionCacheFilter.java
+@@ -41,6 +41,9 @@
+ import org.eclipse.jetty.util.log.Log;
+ import org.eclipse.jetty.util.log.Logger;
+ 
++/**
++ * @deprecated no replacement for this deprecated http feature
++ */
+ @Deprecated
+ public class PushSessionCacheFilter implements Filter
+ {
+@@ -50,6 +53,11 @@ public class PushSessionCacheFilter implements Filter
+     private final ConcurrentMap<String, Target> _cache = new ConcurrentHashMap<>();
+     private long _associateDelay = 5000L;
+ 
++    public PushSessionCacheFilter()
++    {
++        LOG.warn(PushSessionCacheFilter.class.getSimpleName() + " is an example class not suitable for production.");
++    }
++
+     @Override
+     public void init(FilterConfig config) throws ServletException
+     {

jetty.spec

@@ -12,7 +12,7 @@
 %bcond_with     jp_minimal
 Name:                jetty
 Version:             9.4.16
-Release:             7
+Release:             8
 Summary:             Java Webserver and Servlet Container
 License:             Apache-2.0 OR EPL-1.0
 URL:                 http://www.eclipse.org/jetty/
@@ -32,6 +32,7 @@ Patch7:              CVE-2023-26048.patch
 Patch8:              CVE-2023-26049.patch
 Patch9:              CVE-2023-36479.patch
 Patch10:             CVE-2023-40167.patch
+Patch11:             CVE-2024-6762.patch
 
 BuildRequires:       maven-local mvn(javax.servlet:javax.servlet-api) < 4.0.0
 BuildRequires:       mvn(org.apache.felix:maven-bundle-plugin)
@@ -800,6 +801,9 @@ exit 0
 %license LICENSE NOTICE.txt LICENSE-MIT
 
 %changelog
+* Tue Nov 05 2024 yaoxin <yao_xin001@hoperun.com> - 9.4.16-8
+- Fix CVE-2024-6762
+
 * Tue Oct 15 2024 wangkai <13474090681@163.com> - 9.4.16-7
 - Fix CVE-2023-26048,CVE-2023-26049,CVE-2023-36479,CVE-2023-40167