[SERVER-513] Bump to tk-jetty9 1.3.0 and changes to shutdown-timeout-seconds and max-threads defaults - Puppet Tickets

XML

Word

Printable

Details

Type: Task
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: None
Fix Version/s: SERVER 1.0.8, SERVER 2.1.0
Component/s: None
Labels:
None

Epic Link:
Green: Puppet Server 1.0.8 / PE 3.8
Sub-team:
- emerald
Story Points:
1
Sprint:
Server Emerald 2015-04-01

Description

We should bump the dependency that Puppet Server has on the trapperkeeper-webserver-jetty9 package to version 1.3.0.

Version 1.3.0 includes Jetty version 9.2.10, which addresses a critical security vulnerability that was present in Jetty versions 9.2.3 - 9.2.8. See https://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html. Note that Jetty version 9.2.8 was being referenced by tk-jetty9 version 1.2.0, which is currently being used by Puppet Server. No Puppet Server release has been done since the upgrade to tk-jetty9 yet, though, so this vulnerability would not have been present in a released version of Puppet Server. Puppet Server 1.0.3 and earlier were using tk-jetty9 versions that referenced Jetty version 9.1.0.

In the process of doing so, the defaults for a couple of settings in the webserver section will change:

max-threads - from 100 to 200.
shutdown-timeout-seconds - from 60 to 30 seconds.

Attachments

Issue Links

links to

PRs

Activity

People

Assignee:: qa

Reporter:: Jeremy Barlow

QA Contact:: Erik Dasher

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2015/03/24 12:46 PM

Updated:: 2015/06/01 5:39 PM

Resolved:: 2015/03/28 11:45 PM