Your browser was unable to load all of the resources. They may have been blocked by your firewall, proxy or browser configuration.
Press Ctrl+F5 or Ctrl+Shift+R to have your browser try again.

jetty 9.2.25.v20180606 has security vulnerabilities. Can QuickBuild upgrade to a newer jetty? #4418

stang ·

It appears that QuickBuild uses jetty version 9.2.25.v20180606, which has some known security vulnerabilities, listed on:

Would it be possible to update the version of jetty used by QuickBuild to a version that contains fixes for the high severity CVEs?

It appears that jetty 9.4.39, 10.0.2, 11.0.2 all have a fix for the most recent high severity CVE listed in the above link.

In QuickBuild-10.0.41, I see the following files on the server and the nodes:

/framework/configuration/org.eclipse.osgi/lib/jetty-continuation-9.2.25.v20180606.jar
/framework/configuration/org.eclipse.osgi/lib/jetty-http-9.2.25.v20180606.jar
/framework/configuration/org.eclipse.osgi/lib/jetty-io-9.2.25.v20180606.jar
/framework/configuration/org.eclipse.osgi/lib/jetty-security-9.2.25.v20180606.jar
/framework/configuration/org.eclipse.osgi/lib/jetty-server-9.2.25.v20180606.jar
/framework/configuration/org.eclipse.osgi/lib/jetty-servlet-9.2.25.v20180606.jar
/framework/configuration/org.eclipse.osgi/lib/jetty-servlets-9.2.25.v20180606.jar
/framework/configuration/org.eclipse.osgi/lib/jetty-util-9.2.25.v20180606.jar
/framework/configuration/org.eclipse.osgi/lib/jetty-xml-9.2.25.v20180606.jar
  • solved #3
  • replies 4
  • views 491
  • stars 0
robinshen ADMIN ·

Thanks. Will investigate and let you know the result.

robinshen ADMIN ·
stang ·

Excellent, thanks!
Is there any chance of updating QB 11 and 10 with this too?
We are currently on QB 10, but can upgrade to 12.0.4 if the jetty update will be in QB 12 only.

robinshen ADMIN ·

Please upgrade to QB12 as Jetty upgrade is something major and we do not want to put into old maintenance versions.