Update security advisory GHSA-qh8g-58pp-2wxh for CVE-2024-6763

[clement-fouque]

You've recently released version 9.4.57.v20241219 that fixes CVE-2024-6763.

Some scanners such as Qualys are not willing to take this version into account until the security advisory GHSA-qh8g-58pp-2wxh is updated (despite we pointed out to the released version). Can you please modify the security advisory to add patched version 9.4.57.v20241219?

Thank you.

[joakime]

Jetty 9.x is now at End of Community Support.

• EoCS (End of Community Support) for Jetty 9 - June 2022 #7958

Nobody should be using Jetty 9.x anymore.
I'll look into filing a EOL for Jetty 9/10/11 with Qualys instead.

[joakime]

Note, if you still need support for javax.servlet, then Jetty 12 with the ee8 environment provides that, and is also a mainline / supported version of Jetty.

[joakime]

I've started the process at Eclipse CNA to label Jetty 11/10/9/8/7 as EOL on the CVE/Mitre databases.
That should make its way up to Qualys.

[clement-fouque]

@joakime thanks for your feedbacks.

I still believe we should update the security advisory even though the version is EOL. All versions eventually reach this EOL stage. If we apply patch 9.4.57.v20241219, it will mitigate CVE-2024-6763 (from an EOL Jetty version).

FYI, I’ll inform "my" developers that Jetty 9.x is end-of-life and that they should migrate to 12.x.

[joakime]

Read CVE-2024-6763, you'll see that you are likely not vulnerable.
Even on 9.4.56 or 9.4.12.

If you just use Jetty Server or Jetty Client then you are not vulnerable.

If you use HttpURI directly AND use it for security features that work with the URI authority, then you are vulnerable.

[joakime]

Incidentally, the recommendations from CVE/Mitre is to not list fixes for EOL versions of products.
Since 9.x is End of Community Support, this CVE will not be updated.

[clement-fouque]

It seems updating the security advisory is not an option. I'm closing the issue. Thanks.