But it will not be in 3.10.0?
I think Dele is asking to revert this patch because of some issues in OfMeet and plugins. But i have one more question. If this is intended for 3.10.1, then how can it be isolated in the build system, so we can test new fixes for 3.10.0 branch? Now all new builds contain everything (Jetty 9.2 an new fixes).
I am pretty sure that Dele's request was related to (which has been fixed). I will mark this for 3.10.0 since it has been merged into the main branch.
This morning, I noticed this announcement on the Jetty-Users maillinglist:
The Jetty Project is announcing a critical security release of Jetty
This release is considered a critical security release for all
users of Jetty 9.2.3 through 9.2.8.
The full message is here: http://dev.eclipse.org/mhonarc/lists/jetty-users/msg05594.html
I am re-opening this issue, as the fix-version has not been released yet (and I feel we should prevent it from being released without addressing this vulnerability). I'll have a stab at updating the libraries later today.
Checked in the update for Openfire.
I'm noticing that the connenction-manager project lags behind considerably. It currently is based on Jetty 7.0.1. I'm tackling this now. In hindsight, this is more work, as other changes that were applied to Openfire need to be applied to CM as well. Lets tackle this as a separate issue.