Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-513

Bump to tk-jetty9 1.3.0 and changes to shutdown-timeout-seconds and max-threads defaults

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: SERVER 1.0.8, SERVER 2.1.0
    • Component/s: None
    • Labels:
      None
    • Template:
    • Sub-team:
    • Story Points:
      1
    • Sprint:
      Server Emerald 2015-04-01

      Description

      We should bump the dependency that Puppet Server has on the trapperkeeper-webserver-jetty9 package to version 1.3.0.

      Version 1.3.0 includes Jetty version 9.2.10, which addresses a critical security vulnerability that was present in Jetty versions 9.2.3 - 9.2.8. See https://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html. Note that Jetty version 9.2.8 was being referenced by tk-jetty9 version 1.2.0, which is currently being used by Puppet Server. No Puppet Server release has been done since the upgrade to tk-jetty9 yet, though, so this vulnerability would not have been present in a released version of Puppet Server. Puppet Server 1.0.3 and earlier were using tk-jetty9 versions that referenced Jetty version 9.1.0.

      In the process of doing so, the defaults for a couple of settings in the webserver section will change:

      • max-threads - from 100 to 200.
      • shutdown-timeout-seconds - from 60 to 30 seconds.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              qa qa
              Reporter:
              jeremy.barlow Jeremy Barlow
              QA Contact:
              Erik Dasher Erik Dasher
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support