Skip to content

chore: Updated Jetty to 9.4.58.v20250814#6217

Open
MMaiero wants to merge 1 commit intorelease-5.6.0from
chore_update-jetty-9.4.58.v20250814
Open

chore: Updated Jetty to 9.4.58.v20250814#6217
MMaiero wants to merge 1 commit intorelease-5.6.0from
chore_update-jetty-9.4.58.v20250814

Conversation

@MMaiero
Copy link
Copy Markdown
Member

@MMaiero MMaiero commented Apr 13, 2026

Fixes Jetty CVE CVE-2024-13009. It updates the dependency even though not directly applicable to Kura.
Here an analysis:

  Does the Vulnerable Code Path Trigger?

  GzipHandler is explicitly wired up in KuraJettyCustomizer.java:67-70:                                                                                    
   
  final GzipHandler gzipHandler = new GzipHandler();                                                                                                       
  gzipHandler.setCompressionLevel(9);                                                                                                                      
  servletContextHandler.setGzipHandler(gzipHandler);                                                                                                       
                                                                                                                                                           
  The only setting is setCompressionLevel(9), which controls response compression only. Request body inflation is controlled by a separate flag —          
  inflateBufferSize — which defaults to −1 in the Jetty 9.4.56 bytecode:                                                                                   
                                                                                                                                                           
  iconst_m1               // push -1                                                                                                                       
  putfield _inflateBufferSize                                                                                                                              
                                                                                                                                                           
  Inside GzipHandler.handle(), the inflation block is guarded by:                                                                                          
                                                                                                                                                           
  getfield _inflateBufferSize                                                                                                                              
  ifle 355                // skip if ≤ 0                                                                                                                   
                                                                                                                                                           
  Since Kura never calls setInflateBufferSize(), the value remains −1. The guard jumps over the entire inflation path, and the GzipHttpInputInterceptor    
  that mishandles the buffer on gzip errors is never instantiated.

@MMaiero
chore: Updated Jetty to 9.4.58.v20250814
6c99e0f 
Signed-off-by: MMaiero <matteo.maiero@eurotech.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@salvatore-coppola salvatore-coppola salvatore-coppola approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MMaiero @salvatore-coppola