Shibboleth IdP FYI: Jetty 9.2 Headed into Security-Maintenance-Only Status

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Shibboleth IdP FYI: Jetty 9.2 Headed into Security-Maintenance-Only Status

Cantor, Scott E.
Hash: SHA256

Jetty 9.2 Headed into Security-Maintenance-Only Status
This is an informational note to inform our community of an upcoming
change in Jetty 9.2's status, principally because we have included it
as the supported container in the Shibboleth IdP's Windows installer.

The Jetty project has informally disclosed that its intention is to
sunset what they term "open source" support for the Jetty 9.2 release
branch once Jetty 9.4 is released, which is expected sometime in the
next few weeks. [1]

The note indicates that it will be "end of life", but also suggests
they will release any security patches produced as part of their
commercial support business, so the status is more along the lines of
our current position on the V2 Identity Provider software, with security
fixes only.

Because we have provided this Jetty version with all versions of the V3
Windows installer as an embedded container, we plan to ship a service
release of the installer, provisionally V3.2.1.1, which will update the
embedded container to Jetty 9.3 along with the appropriate

However, you may need to start to prepare for this release now since
Jetty 9.3 _requires_ Java version 1.8 and your IdP needs to be running
under Java 1.8 by the time you update to this service release. The
installer does _not_ include the Java runtime itself (this is impossible
for licensing reasons), so that is the responsibility of the deployer.

If you are not running the IdP on Windows via the installer, or are not
relying on the embedded Jetty container it includes, no action is needed
apart from your own awareness of the software you depend on, as with any
other components you have deployed.

If however you are running the IdP with the installer-supplied embedded
Jetty container, check that you are running Java version 1.8 (examine
your IdP logs during startup, or the /idp/status page), and make plans
to upgrade if required.

Note that this will typically require changes to any Scripted attribute
definitions (or other scriptlets) or that you deploy Rhino - see [2].
The fastest and safest way to upgrade if you have lots of scripts is to
use the Rhino scripting engine, at least initially.

Be on the lookout for the announcement of the V3.2.1.1 service update
in the next few weeks.


Version: GnuPG v2


To unsubscribe from this list send an email to [hidden email]