From: Markus Koschany <apo@debian.org>
Date: Wed, 27 Sep 2023 14:25:09 +0200
Subject: CVE-2023-36479

The org.eclipse.jetty.servlets.CGI Servlet should not be used anymore.
Upstream recommends to use Fast CGI instead.

Origin: https://github.com/eclipse/jetty.project/pull/9888
---
 .../src/main/java/org/eclipse/jetty/servlets/CGI.java         |  3 +++
 .../test-jetty-webapp/src/main/webapp/WEB-INF/web.xml         | 11 -----------
 2 files changed, 3 insertions(+), 11 deletions(-)

diff --git a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/CGI.java b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/CGI.java
index 6322290..55d8f9a 100644
--- a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/CGI.java
+++ b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/CGI.java
@@ -67,7 +67,10 @@ import org.eclipse.jetty.util.log.Logger;
  * <dt>ignoreExitState</dt>
  * <dd>If true then do not act on a non-zero exec exit status")</dd>
  * </dl>
+ *
+ * @deprecated do not use, no replacement, will be removed in a future release.
  */
+@Deprecated
 public class CGI extends HttpServlet
 {
     private static final long serialVersionUID = -6182088932884791074L;
diff --git a/tests/test-webapps/test-jetty-webapp/src/main/webapp/WEB-INF/web.xml b/tests/test-webapps/test-jetty-webapp/src/main/webapp/WEB-INF/web.xml
index 507771f..978595f 100644
--- a/tests/test-webapps/test-jetty-webapp/src/main/webapp/WEB-INF/web.xml
+++ b/tests/test-webapps/test-jetty-webapp/src/main/webapp/WEB-INF/web.xml
@@ -121,17 +121,6 @@
     <url-pattern>/dispatch/*</url-pattern>
   </servlet-mapping>
   
-  <servlet>
-    <servlet-name>CGI</servlet-name>
-    <servlet-class>org.eclipse.jetty.servlets.CGI</servlet-class>
-    <load-on-startup>1</load-on-startup>
-  </servlet>
-  
-  <servlet-mapping>
-    <servlet-name>CGI</servlet-name>
-    <url-pattern>/cgi-bin/*</url-pattern>
-  </servlet-mapping>
-  
   <servlet>
     <servlet-name>Chat</servlet-name>
     <servlet-class>com.acme.ChatServlet</servlet-class>