Now there's the first case where Jetty 9.4.x isn't getting a security upgrade: https://github.com/jetty/jetty.project/pull/12012#issuecomment-2416450253 It's about a low priority 3.7/10 CVE-2024-6763: https://nvd.nist.gov/vuln/detail/CVE-2024-6763 https://avd.aquasec.com/nvd/2024/cve-2024-6763/
For Pulsar 4.1, we should handle the upgrade to Jetty 12, which is a work in progress (WIP) in https://github.com/lhotari/pulsar/pull/190. Currently, it would also require upgrading to Jetty 12 in BookKeeper, https://github.com/apache/bookkeeper/pull/4447. Since Jetty 12 requires at least Java 17, this would require changing the minimum Java version for BookKeeper, https://github.com/apache/bookkeeper/pull/4446. The discussion to set the minimum Java version to 17 for BookKeeper is https://lists.apache.org/thread/jkgnr9tt947fzshpoojn0r8n2pnr0h3f on the BookKeeper dev mailing list. -Lari On 2024/04/17 13:57:16 Lari Hotari wrote: > Hi, > > Pulsar Broker and Pulsar Proxy use Jetty 9.4.x. Jetty 9.4.x has reached > end-of-line already in June 2022. Jetty 9.4.x has been receiving security > updates until now although it is not officially supported anymore. This might > change soon. That's why we need to start preparing to upgrade to Jetty 12. > > It is recommended to skip Jetty 10 and Jetty 11 since they are also end of > support. > More details about this recommendation is in this Jetty GitHub issue message > by the Jetty maintainer: > https://github.com/jetty/jetty.project/issues/11644#issuecomment-2048516903 . > > Could we target Jetty 12 upgrade for the master branch so that it gets > included in Pulsar 3.3.x ? > Or, do we first release 3.3.x asap and then tackle this upgrade for Pulsar > 3.4.x? > > -Lari >
