jetty-website: deploy
diff --git a/security-reports.html b/security-reports.html
index 67a8f29..0fc94e4 100644
--- a/security-reports.html
+++ b/security-reports.html
@@ -4,7 +4,7 @@
If the issue is directly related to Jetty itself then reporting to the Jetty developers is encouraged.
The most direct method is to mail <a class="link" href="mailto:security@webtide.com" target="_top">security@webtide.com</a>.
Since Webtide is comprised of the active committers of the Jetty project this is our preferred reporting method.
-We are generally flexible in how we work with reporters of security issues but we reserve the right to act in the interests of the Jetty project in all circumstances.</p><p>If the issue is related to Eclipse or its Jetty integration then we encourage you to reach out to <a class="link" href="mailto:security@eclipse.org" target="_top">ecurity@eclipse.org</a>.</p><p>If the issue is related to integrations with Jetty we are happy to work with you to identify the proper entity and either of the approaches above is fine.</p><p>We prefer that security issues are reported directly to Jetty developers as opposed through GitHub Issues since it has no facility to tag issues as <span class="emphasis"><em>private</em></span>.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="security-reports"></a>Jetty Security Reports</h2></div></div></div><p>The following sections provide information about Jetty security issues.</p><div class="table"><a name="d0e33"></a><p class="title"><b></b></p><div class="table-contents"><table class="table" summary="Resolved Issues" border="1" width="99%"><colgroup><col class="col_1"><col class="col_2"><col class="col_3"><col class="col_4"><col class="col_5"><col class="col_6"><col class="col_7"></colgroup><thead><tr><th align="left" valign="top">yyyy/mm/dd</th><th align="left" valign="top">ID</th><th align="left" valign="top">Exploitable</th><th align="left" valign="top">Severity</th><th align="left" valign="top">Affects</th><th align="left" valign="top">Fixed Version</th><th align="left" valign="top">Comment</th></tr></thead><tbody><tr><td align="left" valign="top"><p>2020/11/17</p></td><td align="left" valign="top"><p>CVE-2020-27218</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>9.4.0.RC0 - 9.4.34, 10.0.0.alpha0 - 10.0.0.beta2, 11.0.0.alpha0 - 11.0.0.beta2</p></td><td align="left" valign="top"><p>9.4.35, 10.0.0.beta3, 11.0.0.beta3</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27218" target="_top">If GZIP request body inflation is enabled and requests
+We are generally flexible in how we work with reporters of security issues but we reserve the right to act in the interests of the Jetty project in all circumstances.</p><p>If the issue is related to Eclipse or its Jetty integration then we encourage you to reach out to <a class="link" href="mailto:security@eclipse.org" target="_top">security@eclipse.org</a>.</p><p>If the issue is related to integrations with Jetty we are happy to work with you to identify the proper entity and either of the approaches above is fine.</p><p>We prefer that security issues are reported directly to Jetty developers as opposed through GitHub Issues since it has no facility to tag issues as <span class="emphasis"><em>private</em></span>.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="security-reports"></a>Jetty Security Reports</h2></div></div></div><p>The following sections provide information about Jetty security issues.</p><div class="table"><a name="d0e33"></a><p class="title"><b></b></p><div class="table-contents"><table class="table" summary="Resolved Issues" border="1" width="99%"><colgroup><col class="col_1"><col class="col_2"><col class="col_3"><col class="col_4"><col class="col_5"><col class="col_6"><col class="col_7"></colgroup><thead><tr><th align="left" valign="top">yyyy/mm/dd</th><th align="left" valign="top">ID</th><th align="left" valign="top">Exploitable</th><th align="left" valign="top">Severity</th><th align="left" valign="top">Affects</th><th align="left" valign="top">Fixed Version</th><th align="left" valign="top">Comment</th></tr></thead><tbody><tr><td align="left" valign="top"><p>2020/11/17</p></td><td align="left" valign="top"><p>CVE-2020-27218</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>9.4.0.RC0 - 9.4.34, 10.0.0.alpha0 - 10.0.0.beta2, 11.0.0.alpha0 - 11.0.0.beta2</p></td><td align="left" valign="top"><p>9.4.35, 10.0.0.beta3, 11.0.0.beta3</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27218" target="_top">If GZIP request body inflation is enabled and requests
from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body.</a></p></td></tr><tr><td align="left" valign="top"><p>2020/10/19</p></td><td align="left" valign="top"><p>CVE-2020-27216</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>< = 9.4.32</p></td><td align="left" valign="top"><p>9.3.29, 9.4.33</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27216" target="_top">If using a shared temp directory on UNIX-based systems an attacker could exploit the creation of a randomly generated file or directory allowing them to execute code and allowing for local privilege escalation.</a></p></td></tr><tr><td align="left" valign="top"><p>2020/07/09</p></td><td align="left" valign="top"><p>CVE-2019-17638</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>>= 9.4.27, < = 9.4.29</p></td><td align="left" valign="top"><p>9.4.30</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17638" target="_top">In the case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/11/25</p></td><td align="left" valign="top"><p>CVE-2019-9518</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>>= 9.4.21, < = 9.4.23</p></td><td align="left" valign="top"><p>9.4.24</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17632" target="_top">The generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/08/13</p></td><td align="left" valign="top"><p>CVE-2019-9518</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>< = 9.4.20</p></td><td align="left" valign="top"><p>9.4.21</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518" target="_top">Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/08/13</p></td><td align="left" valign="top"><p>CVE-2019-9516</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>< = 9.4.20</p></td><td align="left" valign="top"><p>9.4.21</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9516" target="_top">Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/08/13</p></td><td align="left" valign="top"><p>CVE-2019-9515</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>< = 9.4.20</p></td><td align="left" valign="top"><p>9.4.21</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515" target="_top">Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service when an attacker sent a stream of SETTINGS frames to the peer.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/08/13</p></td><td align="left" valign="top"><p>CVE-2019-9514</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>< = 9.4.20</p></td><td align="left" valign="top"><p>9.4.21</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514" target="_top">Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/08/13</p></td><td align="left" valign="top"><p>CVE-2019-9512</p></td><td align="left" valign="top"><p>Low</p></td><td align="left" valign="top"><p>Low</p></td><td align="left" valign="top"><p>< = 9.4.20</p></td><td align="left" valign="top"><p>9.4.21</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512" target="_top">Some HTTP/2 implementations are vulnerable to ping floods which could lead to a denial of service.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/08/13</p></td><td align="left" valign="top"><p>CVE-2019-9511</p></td><td align="left" valign="top"><p>Low</p></td><td align="left" valign="top"><p>Low</p></td><td align="left" valign="top"><p>< = 9.4.20</p></td><td align="left" valign="top"><p>9.4.21</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511" target="_top">Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation which could lead to a denial of service.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/04/11</p></td><td align="left" valign="top"><p>CVE-2019-10247</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>< = 9.4.16</p></td><td align="left" valign="top"><p>9.2.28, 9.3.27, 9.4.17</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247" target="_top">If no webapp was mounted to the root namespace and a 404 was encountered, an HTML page would be generated displaying the fully qualified base resource location for each context.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/04/11</p></td><td align="left" valign="top"><p>CVE-2019-10246</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>< = 9.4.16</p></td><td align="left" valign="top"><p>9.2.28, 9.3.27, 9.4.17</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10246" target="_top">Use of <code class="literal">DefaultServlet</code> or <code class="literal">ResourceHandler</code> with indexing was vulnerable to XSS behaviors to expose the directory listing on Windows operating systems.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/04/11</p></td><td align="left" valign="top"><p>CVE-2019-10241</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>< = 9.4.15</p></td><td align="left" valign="top"><p>9.2.27, 9.3.26, 9.4.16</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241" target="_top">Use of <code class="literal">DefaultServlet</code> or <code class="literal">ResourceHandler</code> with indexing was vulnerable to XSS behaviors to expose the directory listing.</a></p></td></tr><tr><td align="left" valign="top"><p>2018/06/25</p></td><td align="left" valign="top"><p>CVE-2018-12538</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>>= 9.4.0, < = 9.4.8</p></td><td align="left" valign="top"><p>9.4.9</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12538" target="_top"><code class="literal">HttpSessions</code> present specifically in the FileSystem’s storage could be hijacked/accessed by an unauthorized user.</a></p></td></tr><tr><td align="left" valign="top"><p>2018/06/25</p></td><td align="left" valign="top"><p>CVE-2018-12536</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/209.html" target="_top">CWE-202</a></p></td><td align="left" valign="top"><p>< = 9.4.10</p></td><td align="left" valign="top"><p>9.2.25, 9.3.24, 9.4.11</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12536" target="_top"><code class="literal">InvalidPathException</code> Message reveals webapp system path.</a></p></td></tr><tr><td align="left" valign="top"><p>2018/06/25</p></td><td align="left" valign="top"><p>CVE-2017-7658</p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>< = 9.4.10</p></td><td align="left" valign="top"><p>9.2.25, 9.3.24, 9.4.11</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7658" target="_top">Too Tolerant Parser, Double Content-Length + Transfer-Encoding + Whitespace.</a></p></td></tr><tr><td align="left" valign="top"><p>2018/06/25</p></td><td align="left" valign="top"><p>CVE-2017-7657</p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>< = 9.4.10</p></td><td align="left" valign="top"><p>9.2.25, 9.3.24, 9.4.11</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7657" target="_top">HTTP/1.1 Request smuggling with carefully crafted body content (Does not apply to HTTP/1.0 or HTTP/2).</a></p></td></tr><tr><td align="left" valign="top"><p>2018/06/25</p></td><td align="left" valign="top"><p>CVE-2017-7656</p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>< = 9.4.10</p></td><td align="left" valign="top"><p>9.2.25, 9.3.24, 9.4.11</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7656" target="_top">HTTP Request Smuggling when used with invalid request headers (for HTTP/0.9).</a></p></td></tr><tr><td align="left" valign="top"><p>2016/05/31</p></td><td align="left" valign="top"><p>CVE-2016-4800</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>>= 9.3.0, < = 9.3.8</p></td><td align="left" valign="top"><p>9.3.9</p></td><td align="left" valign="top"><p><a class="link" href="http://www.ocert.org/advisories/ocert-2016-001.html" target="_top">Alias vulnerability allowing access to protected resources within a webapp on Windows.</a></p></td></tr><tr><td align="left" valign="top"><p>2015/02/24</p></td><td align="left" valign="top"><p><a class="link" href="http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html" target="_top">CVE-2015-2080</a></p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>>=9.2.3 <9.2.9</p></td><td align="left" valign="top"><p>9.2.9</p></td><td align="left" valign="top"><p>JetLeak exposure of past buffers during HttpParser error</p></td></tr><tr><td align="left" valign="top"><p>2013/11/27</p></td><td align="left" valign="top"><p><a class="link" href="http://en.securitylab.ru/lab/PT-2013-65" target="_top">PT-2013-65</a></p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>>=9.0.0 <9.0.5</p></td><td align="left" valign="top"><p>9.0.6
<a class="link" href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=418014" target="_top">418014</a></p></td><td align="left" valign="top"><p>Alias checking disabled by NTFS errors on Windows.</p></td></tr><tr><td align="left" valign="top"><p>2013/07/24</p></td><td align="left" valign="top"><p><a class="link" href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=413684" target="_top">413684</a></p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>>=7.6.9 <9.0.5</p></td><td align="left" valign="top"><p>7.6.13,8.1.13,9.0.5
<a class="link" href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=413684" target="_top">413684</a></p></td><td align="left" valign="top"><p>Constraints bypassed if Unix symlink alias checker used on Windows.</p></td></tr><tr><td align="left" valign="top"><p>2011/12/29</p></td><td align="left" valign="top"><p><a class="link" href="http://www.ocert.org/advisories/ocert-2011-003.html" target="_top">CERT2011-003</a> <a class="link" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4461" target="_top">CVE-2011-4461</a></p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>All versions</p></td><td align="left" valign="top"><p>7.6.0.RCO
