Hi,

The following vulnerability was published for jetty9.

CVE-2024-6763[0]:
| Eclipse Jetty is a lightweight, highly scalable, Java-based web
| server and Servlet engine . It includes a utility class, HttpURI,
| for URI/URL parsing.  The HttpURI class does insufficient validation
| on the authority segment of a URI.  However the behaviour of HttpURI
| differs from the common browsers in how it handles a URI that would
| be  considered invalid if fully validated against the RRC.
| Specifically HttpURI  and the browser may differ on the value of the
| host extracted from an  invalid URI and thus a combination of Jetty
| and a vulnerable browser may  be vulnerable to a open redirect
| attack or to a SSRF attack if the URI  is used after passing
| validation checks.

https://github.com/jetty/jetty.project/security/advisories/GHSA-qh8g-58pp-2wxh

This appears to be only fixed for 12.x

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-6763
https://www.cve.org/CVERecord?id=CVE-2024-6763

Please adjust the affected versions in the BTS as needed.

According to upstream jetty9 server and client are not affected or more
specifically, quote:

"Jetty 9 doesn't even have a UriCompliance, nor is it RFC9110. This PR in Jetty
9 makes no sense. We cannot force RFC9110 on Jetty 9 users, and the Jetty 9
users have no means to configure this UriCompliance rule it once it is
implemented."

This is more of an issue how browsers and jetty use different conventions to
parse a URI. The solution for jetty12 is to deprecate a part of a newer
specification which jetty9 does not even use.

This can't be properly addressed in Jetty 9.

I keep this issue open for further reference