Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WFCORE-6860][WFCORE-6861][WFCORE-6862] CVE-2024-6162 CVE-2024-27316 Upgrade Undertow, XNIO and JBoss Remoting #6043

Merged
merged 3 commits into from
Jun 21, 2024
Merged

[WFCORE-6860][WFCORE-6861][WFCORE-6862] CVE-2024-6162 CVE-2024-27316 Upgrade Undertow, XNIO and JBoss Remoting #6043

merged 3 commits into from
Jun 21, 2024

Conversation

fl4via
Copy link
Contributor

@fl4via fl4via commented Jun 20, 2024

Jiras:
https://issues.redhat.com/browse/WFCORE-6860
https://issues.redhat.com/browse/WFCORE-6861
https://issues.redhat.com/browse/WFCORE-6862

    Release Notes - XNIO - Version 3.8.16.Final

Bug

  • [XNIO-434] - Make wakeupReads and wakeWrites invoke listener in closed channels (XNIO-427 Breaks wakeup calls contract) 
    Release Notes - JBoss Remoting (3+) - Version 5.0.29.Final

Bug

  • [REM3-413] - ClosedChannelException when NioSocketConduit.handleReady invokes write listener after read listener closes connection

Task

  • [REM3-402] - Add README and other community documents

Component Upgrade

  • [REM3-411] - For the 5.x+ branches bring the WildFly Elytron version inline with WildFly (2.4.2.Final)

Enhancement

  • [REM3-409] - Test Remoting on JDK21
  • [REM3-412] - For testing individual Elytron dependencies should be listed instead of the shaded jar 
    Release Notes - Undertow - Version 2.3.14.Final

Sub-task

  • [UNDERTOW-2400] - ResponseWriterTestCase fails because ServletinputStream is closed before read

Bug

  • [UNDERTOW-2332] - CachingResource mishandling with TTL =0 and FS exhaustion
  • [UNDERTOW-2334] - CVE-2024-6162 url-encoded request path information can be broken on ajp-listener
  • [UNDERTOW-2378] - Adjust properly session timeout also in case when custom auth mechanisms are used
  • [UNDERTOW-2383] - Canonicalized query string in redirect location can break included links
  • [UNDERTOW-2385] - Memory leak in ThreadLocalCache
  • [UNDERTOW-2389] - DefaultByteBufferPool leaks buffers for released threads
  • [UNDERTOW-2405] - CVE-2024-27316 HTTP-2: httpd: CONTINUATION frames DoS
  • [UNDERTOW-2407] - NullPointerException on DefaultByteBufferPool.close
  • [UNDERTOW-2409] - Adjust properly session timeout also in case when GET requests with custom auth mechanisms are used

Component Upgrade

Enhancement

  • [UNDERTOW-2408] - Make fields final in DefaultByteBufferPool when appliable

@fl4via
[WFCORE-6860] Upgrade XNIO to 3.8.16.Final
4bd59c3 
Signed-off-by: Flavia Rainone <frainone@redhat.com>
@fl4via
[WFCORE-6861] Upgrade JBoss Remoting to 5.0.29.Final
d0f5b69 
Signed-off-by: Flavia Rainone <frainone@redhat.com>
@fl4via
[WFCORE-6862] CVE-2024-6162 CVE-2024-27316 Upgrade Undertow to 2.3.14…
59352c3 
….Final

Signed-off-by: Flavia Rainone <frainone@redhat.com>
@github-actions github-actions bot added the deps-ok Dependencies have been checked, and there are no significant changes label Jun 20, 2024
@bstansberry bstansberry mentioned this pull request Jun 20, 2024
Closed
@yersan
Copy link
Collaborator

yersan commented Jun 21, 2024

I think it could be unrelated, but org.wildfly.test.integration.microprofile.jwt.propagation.JWTIdentityPropagationTestCase(standalone-enabled-microprofile-test).testInvokeEJBWithinSingleDeploymentOutflowAnonymousConfigured has constantly failed three times on Windows (two for this PR and one for #6044)

It passed on Linux, let's kick it off again to see how it goes

@yersan yersan added the ready-for-merge This PR is ready to be merged and fulfills all requirements label Jun 21, 2024
@yersan yersan merged commit da747cf into wildfly:main Jun 21, 2024
12 checks passed
@yersan
Copy link
Collaborator

yersan commented Jun 21, 2024

@fl4via @ropalka thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ropalka ropalka ropalka approved these changes

Assignees
No one assigned
Labels
deps-ok Dependencies have been checked, and there are no significant changes ready-for-merge This PR is ready to be merged and fulfills all requirements
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fl4via @yersan @ropalka