diff --git a/.cvsignore b/.cvsignore
index b8974e4..5e1ca9b 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -1 +1,2 @@
jetty-5.1.12.fedora.zip
+jetty-5.1.14.fedora.tgz
diff --git a/jetty-CERT438616-CERT237888-CERT21284.patch b/jetty-CERT438616-CERT237888-CERT21284.patch
new file mode 100644
index 0000000..964f047
--- /dev/null
+++ b/jetty-CERT438616-CERT237888-CERT21284.patch
@@ -0,0 +1,178 @@
+Index: src/org/mortbay/http/HttpFields.java
+===================================================================
+RCS file: /cvsroot/jetty/Jetty/src/org/mortbay/http/HttpFields.java,v
+retrieving revision 1.77
+diff -r1.77 HttpFields.java
+1461a1462
+> value=StringUtil.noCRLF(value);
+Index: src/org/mortbay/http/HttpResponse.java
+===================================================================
+RCS file: /cvsroot/jetty/Jetty/src/org/mortbay/http/HttpResponse.java,v
+retrieving revision 1.62
+diff -r1.62 HttpResponse.java
+21a22
+> import java.util.Date;
+22a24
+> import java.util.List;
+462a465,519
+> public void addDateField(String name, Date date)
+> {
+> super.addDateField(sanitize(name),date);
+> }
+>
+> public void addDateField(String name, long date)
+> {
+> super.addDateField(sanitize(name),date);
+> }
+>
+> public void addField(String name, String value) throws IllegalStateException
+> {
+> super.addField(sanitize(name),sanitize(value));
+> }
+>
+> public void addIntField(String name, int value)
+> {
+> super.addIntField(sanitize(name),value);
+> }
+>
+> public void setContentType(String contentType)
+> {
+> super.setContentType(sanitize(contentType));
+> }
+>
+> public void setDateField(String name, Date date)
+> {
+> super.setDateField(sanitize(name),date);
+> }
+>
+> public void setDateField(String name, long date)
+> {
+> super.setDateField(sanitize(name),date);
+> }
+>
+> public void setField(String name, List value)
+> {
+> super.setField(sanitize(name),value);
+> }
+>
+> public String setField(String name, String value)
+> {
+> return super.setField(sanitize(name),sanitize(value));
+> }
+>
+> public void setIntField(String name, int value)
+> {
+> super.setIntField(sanitize(name),value);
+> }
+>
+> private String sanitize(String s)
+> {
+> return StringUtil.noCRLF(s);
+> }
+>
+Index: src/org/mortbay/servlet/Dump.java
+===================================================================
+RCS file: /cvsroot/jetty/Jetty/src/org/mortbay/servlet/Dump.java,v
+retrieving revision 1.42
+diff -r1.42 Dump.java
+46a47
+> import org.mortbay.util.StringUtil;
+169a171,173
+> response.setHeader("Ok","value");
+> response.setHeader("ztu\r\n\r\npid","val\r\n\r\nue");
+> response.addCookie(new Cookie("Stu'pid","val\r\n\r\nue"));
+177c181,198
+< Table table= new Table(0).cellPadding(0).cellSpacing(0);
+---
+> Table table= new Table(0)
+> {
+> public Table addCell(Object o)
+> {
+> if (o!=null && o instanceof String)
+> {
+> String s = (String)o;
+> s=StringUtil.replace(s,"\r\n","
");
+> s=StringUtil.replace(s,"\n","
");
+> s=StringUtil.replace(s,"<","<");
+> s=StringUtil.replace(s,">",">");
+> o=s;
+> }
+> return super.addCell(o);
+> }
+> };
+>
+> table.cellPadding(0).cellSpacing(0);
+360c381
+< table.addCell("" + toString(request.getAttribute(name)) + "
");
+---
+> table.addCell(toString(request.getAttribute(name)));
+378c399
+< table.addCell("" + toString(getInitParameter(name)) + "
");
+---
+> table.addCell(toString(getInitParameter(name)));
+395c416
+< table.addCell("" + toString(getServletContext().getInitParameter(name)) + "
");
+---
+> table.addCell(toString(getServletContext().getInitParameter(name)));
+412c433
+< table.addCell("" + toString(getServletContext().getAttribute(name)) + "
");
+---
+> table.addCell(toString(getServletContext().getAttribute(name)));
+435c456
+< table.addCell("" + multi.getString(parts[p]) + "
");
+---
+> table.addCell(multi.getString(parts[p]));
+Index: src/org/mortbay/util/StringUtil.java
+===================================================================
+RCS file: /cvsroot/jetty/Jetty/src/org/mortbay/util/StringUtil.java,v
+retrieving revision 1.16
+diff -r1.16 StringUtil.java
+286a287,292
+>
+> /* ------------------------------------------------------------ */
+> public static String noCRLF(String s)
+> {
+> if (s==null || s.length()==0)
+> return s;
+287a294,334
+> StringBuffer buf = null;
+> int i=0;
+> loop:
+> for (;i {
+> char c = s.charAt(i);
+> switch(c)
+> {
+> case 0:
+> case '\n':
+> case '\r':
+> {
+> buf=new StringBuffer(s.length());
+> buf.append(s,0,i);
+> buf.append('.');
+> break loop;
+> }
+> default:
+> }
+> }
+>
+> if (buf==null)
+> return s;
+>
+> for (;i {
+> char c = s.charAt(i);
+> switch(c)
+> {
+> case 0:
+> case '\n':
+> case '\r':
+> buf.append('.');
+> break;
+> default:
+> buf.append(c);
+> }
+> }
+>
+> return buf.toString();
+> }
diff --git a/jetty.spec b/jetty.spec
index 55d948b..ebecc98 100644
--- a/jetty.spec
+++ b/jetty.spec
@@ -53,23 +53,23 @@
%define demodir %{_localstatedir}/lib/%{name}/demo
Name: jetty
-Version: 5.1.12
-Release: 1jpp.9%{?dist}
+Version: 5.1.14
+Release: 1jpp.1%{?dist}
Summary: The Jetty Webserver and Servlet Container
Group: Applications/Internet
License: ASL 2.0
URL: http://jetty.mortbay.org/jetty/
-# Following source zip was originally taken from the following location:
-# http://mirrors.ibiblio.org/pub/mirrors/maven/jetty/jetty-5.1.12.zip
-# The zip file was modified by removing all jars and BCLA licenses.
-# unzip jetty-5.1.12.zip
-# pushd jetty-5.1.12
+# Following source tarball was originally taken from the following location:
+# http://www.ibiblio.org/maven/jetty/jetty-5.1.x/jetty-5.1.14.tgz
+# The tarball was modified by removing all jars and BCLA licenses.
+# tar -xzf jetty-5.1.14.tgz
+# pushd jetty-5.1.14
# find . -name *.jar -exec rm {} \;
# rm ./etc/LICENSE.javax.xml.html ./etc/LICENSE.jsse.txt
# popd
-# zip jetty-5.1.12.fedora.zip jetty-5.1.12/*
-Source0: %{jettyname}-%{version}.fedora.zip
+# tar -czf jetty-5.1.14.fedora.tgz jetty-5.1.14/*
+Source0: %{jettyname}-%{version}.fedora.tgz
Source1: jetty.script
Source2: jetty.init
Source3: jetty.logrotate
@@ -78,6 +78,7 @@ Patch0: jetty-extra-j2ee-build_xml.patch
Patch1: jetty-PostFileFilter.patch
Patch2: jetty-libgcj-bad-serialization.patch
Patch3: jetty-TestRFC2616-libgcj-bad-date-parser.patch
+Patch4: jetty-CERT438616-CERT237888-CERT21284.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%if ! %{gcj_support}
@@ -252,6 +253,8 @@ rm src/org/mortbay/util/jmx/MX4JHttpAdaptor.java
%patch2 -b .sav
%patch3 -b .sav
+%patch4
+
# Delete this Sun specific file.
rm src/org/mortbay/http/SunJsseListener.java
@@ -387,7 +390,7 @@ JETTY_PORT=8080
JETTY_RUN=%{_localstatedir}/run/%{name}
JETTY_PID=\$JETTY_RUN/jetty.pid
EO_RC
-) > $RPM_BUILD_ROOT%{homedir}/.jettyrc
+) > $RPM_BUILD_ROOT%{homedir}/jettyrc
# extra
%if %{with_extra}
@@ -538,13 +541,12 @@ fi
%{homedir}/[^e]*
%{homedir}/ext
%{homedir}/etc
-%{homedir}/.jettyrc
+%{homedir}/jettyrc
%dir %{demodir}
%attr(755, jetty, jetty) %{logdir}
%attr(755, jetty, jetty) %{tempdir}
%attr(755, jetty, jetty) %{rundir}
%dir %{appdir}
-%dir %{_docdir}/%{name}-%{version}
%doc %{_docdir}/%{name}-%{version}/LICENSE.TXT
%doc %{_docdir}/%{name}-%{version}/VERSION.TXT
%{_sysconfdir}/init.d/%{name}
@@ -597,16 +599,11 @@ fi
%endif
%changelog
-* Tue Feb 12 2008 Jeff Johnston 5.1.12-1jpp.9
-- Resolves #427821
-- Make this package owner of jetty doc directory
-
-* Tue Nov 20 2007 Jeff Johnston 5.1.12-1jpp.8
-- Resolves #393071
-- Rename jettyrc back to .jettyrc as this file is needed when starting
- jetty via /etc/init.d/jetty start
+* Fri Jul 04 2008 Jeff Johnston 5.1.14-1jpp.1
+- Security patch
+- Resolves #417401, #417411, #417391
+- Upgrade to 5.1.14 source tarball for Fedora
-- Resolves #262221
* Fri Aug 31 2007 Jeff Johnston 5.1.12-1jpp.7
- Resolves #262221
- Use /bin/sh instead of /sbin/nologin so init will work
diff --git a/sources b/sources
index 07ffe2a..5d2995d 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-7c6af7ed3365b136b55e752df8dead6f jetty-5.1.12.fedora.zip
+04dcaaa5407462cea9c514b7f7aabff7 jetty-5.1.14.fedora.tgz