Special Thanks to the following Eclipse Jetty community members

• @frode-carlsen (Frode Carlsen)

Changelog

• #6406 - Jetty Jaspi module not compatible with Jakarta EE 9 (Jakarta Authentication) (@frode-carlsen)

Dependency Updates

• #6788 - Bump conscrypt-openjdk-uber from 2.5.1 to 2.5.2
• #6750 - Bump openwebbeans.version from 2.0.20 to 2.0.23
• #6742 - Bump json-smart from 2.3 to 2.4.7
• #6725 - Bump gson from 2.8.6 to 2.8.8
• #6722 - Bump biz.aQute.bndlib from 5.2.0 to 5.3.0
• #6717 - Bump bouncycastle.version from 1.62 to 1.69
• #6712 - Bump jnr-unixsocket from 0.38.3 to 0.38.10
• #6711 - Bump google-cloud-datastore from 1.105.0 to 2.1.0
• #6705 - Bump hazelcast.version from 4.1 to 4.2.2
• #6679 - Update to Apache Jasper 10.0.10

Special Thanks to the following Eclipse Jetty community members

• @prenagha (Padraic Renaghan)

Changelog

• #6883 - Welcome file redirects do not honor the relativeRedirectAllowed option
• #6870 - Encode control characters in URIUtil.encodePath
• #6869 - Correct Content-Type within HTML error pages
• #6868 - _uriCompliance attribute has been forgotten in the HttpConfiguration constructor from another configuration
• #6860 - IPv6 format
• #6752 - DefaultSessionCache more extensible using ConcurrentMap (@prenagha)
• #6735 - infinispan-embedded-query and infinispan-remote-query modules broken
• #6696 - High WebSocket memory usage in Jetty 10
• #6693 - FastCGI review
• #6681 - Alternate Alias checkers
• #6661 - Some SocketOptions not supported on Windows
• #6654 - ServerUpgradeRequest.getCookies() can throws NullPointerException
• #6642 - WebSocket handling of Connection: upgrade,close.
• #6624 - Fix non-domain SNI on Java17
• #6618 - ID token azp claim should not be required if aud is single value array
• #6617 - Add basic auth support for OpenId token endpoint (client_secret_basic)
• #6603 - HTTP/2 max local stream count exceeded
• #6602 - SessionTracker memory leak on WebSockets that close immediately
• #6601 - jetty-websocket-core not usable standalone, only with websocket-javax-server or websocket-jetty-server
• #6586 - Remove some unnecessary dependencies
• #6565 - Improve deployment of symlinked webapplications
• #6562 - HttpOutput.write(ByteBuffer buffer)
• #6559 - Non blocking ReservedThreadExecutor (#6535)
• #6556 - MemcachedSessionDataMap needs to set the context classloader before serialization/deseriazliation.
• #6554 - Allow creation of DefaultIdentityService without realmName.
• #6553 - Review usage of Authentication.UNAUTHENTICATED in SecurityHandler
• #6544 - Using jetty.gzip.excludedMimeTypeList property results in an error
• #6520 - Error page has HTML error when writePoweredBy is enabled.
• #6494 - Reduce header cache memory usage on non persistent requests
• #6489 - Some URI valid compliance modes cannot be set in .ini file.
• #6487 - Expose ServletHolder getter in ServletHandler$ChainEnd for auditing libraries to use
• #6476 - Show message if JVM args are present but new JVM is spawned based on active modules
• #6406 - Jetty Jaspi module not compatible with Jakarta EE 9 (Jakarta Authentication)
• #6372 - Review socket options configuration
• #6322 - Use RetainableByteBuffer in HttpConnection
• #6043 - Reimplement UnixSocket support based on Java 16
• #5229 - Update WebSocket documentation in Jetty 10

Dependency Updates

• #6935 - Bump guava from 30.1.1-jre to 31.0.1-jre
• #6921 - Bump hawtio-default from 2.13.6 to 2.14.0
• #6914 - Bump grpc-core from 1.40.1 to 1.41.0
• #6913 - Bump logback-core from 1.3.0-alpha9 to 1.3.0-alpha10
• #6912 - Bump log4j-api from 2.14.0 to 2.14.1
• #6911 - Bump hawtio-default from 2.13.5 to 2.13.6
• #6910 - Bump jakarta.inject-api from 1.0 to 1.0.3
• #6904 - Bump jamon.version from 2.81 to 2.82
• #6901 - Bump google-cloud-datastore from 2.1.0 to 2.1.2
• #6863 - Bump jnr-unixsocket from 0.38.10 to 0.38.11
• #6845 - Bump org.eclipse.osgi.util from 3.6.0 to 3.6.100
• #6843 - Bump org.eclipse.osgi.services from 3.10.100 to 3.10.200
• #6842 - Bump org.eclipse.osgi from 3.16.300 to 3.17.0
• #6840 - Bump jakarta.transaction-api from 1.3.2 to 1.3.3
• #6830 - Bump jaxws-rt from 2.3.3 to 2.3.5
• #6824 - Bump cdi-api from 1.2 to 2.0
• #6809 - Bump bouncycastle.version from 1.62 to 1.69
• #6807 - Bump tycho-version from 2.1.0 to 2.3.0
• #6772 - Update to asm 9.2
• #6763 - Bump json-smart from 2.3 to 2.4.7
• #6762 - Bump google-cloud-datastore from 1.105.0 to 2.1.0
• #6751 - Bump jnr-unixsocket from 0.38.3 to 0.38.10 (#6712)
• #6732 - Bump hazelcast.version from 4.1 to 4.2.2
• #6721 - Bump gson from 2.8.6 to 2.8.8
• #6710 - Bump xmemcached from 2.4.6 to 2.4.7
• #6707 - Bump org.apache.felix.framework from 6.0.3 to 7.0.1
• #6703 - Bump jnr-constants from 0.10.0 to 0.10.2
• #6684 - Bump slf4j to 2.0.0-alpha5
• #6677 - Update to apache jasper 9.0.52

🌟 Sponsored Changes

• #6072 - Backport High CPU usage when TLS client sends TLS Record data exceeding length 17408 fix
• #6263 - Backport URI encoding in ConcatServlet & WelcomeFilter fixes
• #6277 - Backport handle exceptions thrown from session destroy listener

Changelog

• #6883 - Welcome file redirects do not honor the relativeRedirectAllowed option
• #6870 - Encode control characters in URIUtil.encodePath
• #6869 - Correct Content-Type within HTML error pages
• #6860 - IPv6 format
• #6652 - Improve ReservedThreadExecutor dump
• #6618 - ID token azp claim should not be required if aud is single value array
• #6617 - Add basic auth support for OpenId token endpoint (client_secret_basic)
• #6603 - HTTP/2 max local stream count exceeded
• #6562 - HttpOutput.write(ByteBuffer buffer)
• #6558 - Allow to configure return type in JSON array parsing
• #6554 - Allow creation of DefaultIdentityService without realmName.
• #6553 - Review usage of Authentication.UNAUTHENTICATED in SecurityHandler
• #6535 - Non blocking ReservedThreadExecutor
• #6520 - Error page has HTML error when writePoweredBy is enabled.
• #6487 - Expose ServletHolder getter in ServletHandler$ChainEnd for auditing libraries to use

Updated Dependencies

• #6922 - Bump hawtio-default from 2.13.5 to 2.14.0
• #6919 - Bump jamon.version from 2.81 to 2.82
• #6906 - Bump google-cloud-datastore from 2.1.0 to 2.1.2
• #6903 - Bump grpc-core from 1.40.1 to 1.41.0
• #6865 - Bump jnr-unixsocket from 0.38.10 to 0.38.11
• #6858 - Bump guice from 4.2.2 to 5.0.1
• #6857 - Bump org.eclipse.osgi.services from 3.10.100 to 3.10.200
• #6847 - Bump org.eclipse.osgi.util from 3.6.0 to 3.6.100
• #6841 - Bump org.eclipse.osgi from 3.16.300 to 3.17.0
• #6816 - Bump mariadb-java-client from 2.7.0 to 2.7.4
• #6786 - Bump org.eclipse.osgi from 3.16.0 to 3.16.300
• #6772 - Update to asm 9.2
• #6746 - Bump hazelcast.version from 3.12.10 to 3.12.12
• #6739 - Bump jmh.version from 1.26 to 1.33
• #6671 - Update to apache jsp 8.5.70

Changelog

• This release resolves CVE-2021-34429
• #6473 - Improve alias checking in PathResource
• #6470 - java.nio.ReadOnlyBufferException
• #6447 - Deprecate support for UTF16 encoding in URIs
• #6426 - Update to spifly 1.3.3
• #6425 - Update to asm 9.1

Changelog

• This release resolves CVE-2021-34429
• #6473 - Improve alias checking in PathResource
• #6468 - Revert logic in Request.setMetaData & clear emptySegment on HttpUri.clear()
• #6464 - Wrong files/lib definitions in certain *-capture.mod files?
• #6447 - Deprecate support for UTF16 encoding in URIs
• #6426 - Update to spifly 1.3.3
• #6425 - Update to asm 9.1
• #6418 - Bad and/or missing Require-Capability for osgi.serviceloader
• #6410 - Ensure Jetty IO uses SocketAddress instead of InetSocketAddress
• #6407 - Malformed scheme logical expression check in WebSocket ClientUpgradeRequest
• #6394 - Review osgi manifests within Jetty 11
• #6376 - Cleanups for SslClientCertAuthenticator.
• #6375 - Always check XML Set elements with property attribute
• #6353 - Rename EWYK The AdaptiveExecutionStrategy

Changelog

• This release resolves CVE-2021-34429
• #6473 - Improve alias checking in PathResource
• #6468 - Revert logic in Request.setMetaData & clear emptySegment on HttpUri.clear()
• #6464 - Wrong files/lib definitions in certain *-capture.mod files?
• #6447 - Deprecate support for UTF16 encoding in URIs
• #6426 - Update to spifly 1.3.3
• #6425 - Update to asm 9.1
• #6418 - Bad and/or missing Require-Capability for osgi.serviceloader
• #6410 - Ensure Jetty IO uses SocketAddress instead of InetSocketAddress
• #6407 - Malformed scheme logical expression check in WebSocket ClientUpgradeRequest
• #6394 - Review osgi manifests within Jetty 10
• #6376 - Cleanups for SslClientCertAuthenticator.
• #6375 - Always check XML Set elements with property attribute
• #6353 - Rename EWYK The AdaptiveExecutionStrategy

Changelog

• #6392 - Review accidental xml config changes
• #6379 - Reduce contention in all ByteBufferPool implementations
• #6354 - org.slfj dependency imports packages at 2.0
• #6329 - Regression on graceful shutdown default in Jetty 10
• #6302 - Treat empty path segments are ambiguous.
• #4772 - Jetty WebSocket API onMessage annotation does not support partial messages.

Changelog

• #6392 - Review accidental xml config changes
• #6379 - Reduce contention in all ByteBufferPool implementations
• #6354 - org.slfj dependency imports packages at 2.0
• #6329 - Regression on graceful shutdown default in Jetty 10
• #6302 - Treat empty path segments are ambiguous.
• #4772 - Jetty WebSocket API onMessage annotation does not support partial messages.

Changelog

• #6342 - Explain EatWhatYouKill naming
• #6330 - CustomRequestLog is missing HTTP version format option
• #6323 - HttpClient gets stuck/never calls onComplete() when multiple requests with timeouts are sent
• #6308 - Ensure buffers are returned to pool by MessageInputStream
• #6287 - Class loading broken for WebSocketClient used inside webapp
• #6285 - HTTP2 client: IllegalStateException: Cannot release an already released entry
• #6276 - Support non-standard domains in SNI and X509
• #6268 - Warnings about "unable to parse form content" are not helpful for troubleshooting
• #6118 - Display a warning when Hazelcast configuration does not contain Jetty session serializer
• #5931 - SslConnection should implement getBytesIn()/getBytesOut()