Shibboleth IdP FYI: Jetty 9.2 Headed into Security-Maintenance-Only Status

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth IdP FYI: Jetty 9.2 Headed into Security-Maintenance-Only Status

Cantor, Scott E.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Jetty 9.2 Headed into Security-Maintenance-Only Status
======================================================
This is an informational note to inform our community of an upcoming
change in Jetty 9.2's status, principally because we have included it
as the supported container in the Shibboleth IdP's Windows installer.

The Jetty project has informally disclosed that its intention is to
sunset what they term "open source" support for the Jetty 9.2 release
branch once Jetty 9.4 is released, which is expected sometime in the
next few weeks. [1]

The note indicates that it will be "end of life", but also suggests
they will release any security patches produced as part of their
commercial support business, so the status is more along the lines of
our current position on the V2 Identity Provider software, with security
fixes only.

Because we have provided this Jetty version with all versions of the V3
Windows installer as an embedded container, we plan to ship a service
release of the installer, provisionally V3.2.1.1, which will update the
embedded container to Jetty 9.3 along with the appropriate
configuration.

However, you may need to start to prepare for this release now since
Jetty 9.3 _requires_ Java version 1.8 and your IdP needs to be running
under Java 1.8 by the time you update to this service release. The
installer does _not_ include the Java runtime itself (this is impossible
for licensing reasons), so that is the responsibility of the deployer.

Recommendations
===============
If you are not running the IdP on Windows via the installer, or are not
relying on the embedded Jetty container it includes, no action is needed
apart from your own awareness of the software you depend on, as with any
other components you have deployed.

If however you are running the IdP with the installer-supplied embedded
Jetty container, check that you are running Java version 1.8 (examine
your IdP logs during startup, or the /idp/status page), and make plans
to upgrade if required.

Note that this will typically require changes to any Scripted attribute
definitions (or other scriptlets) or that you deploy Rhino - see [2].
The fastest and safest way to upgrade if you have lots of scripts is to
use the Rhino scripting engine, at least initially.

Be on the lookout for the announcement of the V3.2.1.1 service update
in the next few weeks.

[1] http://dev.eclipse.org/mhonarc/lists/jetty-dev/msg02726.html
[2] https://wiki.shibboleth.net/confluence/x/hoC3


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXROaxAAoJEDeLhFQCJ3liWC0P/0LBgBuPwG556LVscQM6SOvw
/GhS9Fmgtowh6iZtQK70UHfw73GCPkUXn3N1J39nWxnDR9ZMvd+G4FZViVIOgIN/
TFwxEfs5Efnu6f6fnwiL+4xq4e/3FORzZY3W1GQuuNHTxoLz9LGpLOyBti1pqkuh
p6QH3hG8MpBIh+tKm9VKCtTrwV0kvvCpzllszl+vMn6TrtCqQsanJ/2Y5A8v88fm
B6WkYHsjO2k4elKWXq5ki+HTllnYoGapuYXGCwAeWDpadcWTNuYJ/O+AxFz0acDm
KVqBOIvX8fZ6c0dw1b/EZs4u0ta0k1NMFtPYqFGxX5q43VzlhqIKxgX7y9KNnksA
y6DNj58gm/KeeJa7+tdQNSlXqFwItm5pfWtZ8oFRGkGo7VelTG7Hlppn3gKQM17h
EvFWghKqmO5/lukz+N+Z0wbXvvDbPoaU+EkDOIq4f+p9+dcXIwWL0+0CBm4HvgwB
ukWu5115cx5+5DxeTb1k+TMoIkwjnrbc+Ike2jRyCkEW71Bm+lLkVx9OU/WimMSR
494HcKs07D254C3w7AX87C2GJHenr+ke2s2GGc82f6LjcmU0H/aTPt1h9Ny16y7O
HCPQTKzco6XSkjyhj19ZUbODJ0f2IKm4vPJETpFKrlJgRpK1CTuL2dUZIy+seSoW
mkkBKkRCIEcMvwC59Af7
=qpgx
-----END PGP SIGNATURE-----


--
To unsubscribe from this list send an email to [hidden email]