Java News from Tuesday, November 17, 2009

Mort Bay Consulting has released Jetty 6.1.22, an open source servlet engine that supports version 2.5 of the Java Servlet API and version 2.1 of Java Server Pages, and my personal favorite embeddable web server. According to Grge Wilkins,

This release contains a work around for the vulnerability in the SSL protocol that is documented in CVE-2009-3555. The work around prevents renegotiation of SSL connections and this prevents man in the middle text injection. This work around may affect some client certificate usage and for that, an updated JVM will be required.

Another security related fix is that the log is now filtered for control characters to protect against vulnerable xterms.

It is highly recommended that all jetty 6 servers are updated to use 6.1.22.