We should bump the dependency that Puppet Server has on the trapperkeeper-webserver-jetty9 package to version 1.3.0.
Version 1.3.0 includes Jetty version 9.2.10, which addresses a critical security vulnerability that was present in Jetty versions 9.2.3 - 9.2.8. See https://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html. Note that Jetty version 9.2.8 was being referenced by tk-jetty9 version 1.2.0, which is currently being used by Puppet Server. No Puppet Server release has been done since the upgrade to tk-jetty9 yet, though, so this vulnerability would not have been present in a released version of Puppet Server. Puppet Server 1.0.3 and earlier were using tk-jetty9 versions that referenced Jetty version 9.1.0.
In the process of doing so, the defaults for a couple of settings in the webserver section will change:
- max-threads - from 100 to 200.
- shutdown-timeout-seconds - from 60 to 30 seconds.