(bookkeeper) branch branch-4.17 updated: Upgrade Jetty to 9.4.57.v20241219 to address CVE-2024-6763 (#4600)

lushiji Thu, 12 Jun 2025 00:40:00 -0700

This is an automated email from the ASF dual-hosted git repository.

lushiji pushed a commit to branch branch-4.17
in repository https://gitbox.apache.org/repos/asf/bookkeeper.git



The following commit(s) were added to refs/heads/branch-4.17 by this push:
     new 7c58be4828 Upgrade Jetty to 9.4.57.v20241219 to address CVE-2024-6763 
(#4600)
7c58be4828 is described below

commit 7c58be48283fc1a4e866664d3de83fdf243c004f
Author: Lari Hotari <[email protected]>
AuthorDate: Tue May 6 10:39:19 2025 +0800

    Upgrade Jetty to 9.4.57.v20241219 to address CVE-2024-6763 (#4600)
    
    ### Motivation & Changes
    
    Upgrade Jetty to 9.4.57.v20241219 to address CVE-2024-6763
    Jetty 9.4.57.v20241219 contains backported CVE-2024-6763 fix in 
https://github.com/jetty/jetty.project/pull/12532 although it's not explicitly 
mentioned and most security scanners don't yet contain the information that 
it's been addressed in 9.4.57.
    More details:
    * https://github.com/jetty/jetty.project/issues/12630
    * https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.57.v20241219
    
    Note: The backport is a partial mitigation and Jetty 9.4.57 will continue 
to be marked as vulnerable. There's a discussion and explanation here: 
https://gitlab.eclipse.org/security/cve-assignement/-/issues/25#note_2968611
    
    (cherry picked from commit 99eb63a5a417e9fdd7a7df4a5974491d51893c8e)
---
 bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt   | 16 ++++++++--------
 .../src/main/resources/LICENSE-server.bin.txt            | 16 ++++++++--------
 bookkeeper-dist/src/main/resources/NOTICE-all.bin.txt    | 16 ++++++++--------
 bookkeeper-dist/src/main/resources/NOTICE-server.bin.txt | 16 ++++++++--------
 pom.xml                                                  |  2 +-
 5 files changed, 33 insertions(+), 33 deletions(-)

diff --git a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt 
b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
index b4c03ad5b3..7c335d6ab0 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
@@ -267,14 +267,14 @@ Apache Software License, Version 2.
 - lib/org.apache.zookeeper-zookeeper-3.9.3.jar [21]
 - lib/org.apache.zookeeper-zookeeper-jute-3.9.3.jar [21]
 - lib/org.apache.zookeeper-zookeeper-3.9.3-tests.jar [21]
-- lib/org.eclipse.jetty-jetty-http-9.4.53.v20231009.jar [22]
-- lib/org.eclipse.jetty-jetty-io-9.4.53.v20231009.jar [22]
-- lib/org.eclipse.jetty-jetty-security-9.4.53.v20231009.jar [22]
-- lib/org.eclipse.jetty-jetty-server-9.4.53.v20231009.jar [22]
-- lib/org.eclipse.jetty-jetty-servlet-9.4.53.v20231009.jar [22]
-- lib/org.eclipse.jetty-jetty-util-9.4.53.v20231009.jar [22]
-- lib/org.eclipse.jetty-jetty-util-ajax-9.4.53.v20231009.jar [22]
-- lib/org.rocksdb-rocksdbjni-7.10.2.jar [23]
+- lib/org.eclipse.jetty-jetty-http-9.4.57.v20241219.jar [22]
+- lib/org.eclipse.jetty-jetty-io-9.4.57.v20241219.jar [22]
+- lib/org.eclipse.jetty-jetty-security-9.4.57.v20241219.jar [22]
+- lib/org.eclipse.jetty-jetty-server-9.4.57.v20241219.jar [22]
+- lib/org.eclipse.jetty-jetty-servlet-9.4.57.v20241219.jar [22]
+- lib/org.eclipse.jetty-jetty-util-9.4.57.v20241219.jar [22]
+- lib/org.eclipse.jetty-jetty-util-ajax-9.4.57.v20241219.jar [22]
+- lib/org.rocksdb-rocksdbjni-9.9.3.jar [23]
 - lib/com.beust-jcommander-1.82.jar [24]
 - lib/com.yahoo.datasketches-memory-0.8.3.jar [25]
 - lib/com.yahoo.datasketches-sketches-core-0.8.3.jar [25]
diff --git a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt 
b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
index 12036c6991..74a1f8b8cc 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
@@ -267,14 +267,14 @@ Apache Software License, Version 2.
 - lib/org.apache.zookeeper-zookeeper-3.9.3.jar [21]
 - lib/org.apache.zookeeper-zookeeper-jute-3.9.3.jar [21]
 - lib/org.apache.zookeeper-zookeeper-3.9.3-tests.jar [21]
-- lib/org.eclipse.jetty-jetty-http-9.4.53.v20231009.jar [22]
-- lib/org.eclipse.jetty-jetty-io-9.4.53.v20231009.jar [22]
-- lib/org.eclipse.jetty-jetty-security-9.4.53.v20231009.jar [22]
-- lib/org.eclipse.jetty-jetty-server-9.4.53.v20231009.jar [22]
-- lib/org.eclipse.jetty-jetty-servlet-9.4.53.v20231009.jar [22]
-- lib/org.eclipse.jetty-jetty-util-9.4.53.v20231009.jar [22]
-- lib/org.eclipse.jetty-jetty-util-ajax-9.4.53.v20231009.jar [22]
-- lib/org.rocksdb-rocksdbjni-7.10.2.jar [23]
+- lib/org.eclipse.jetty-jetty-http-9.4.57.v20241219.jar [22]
+- lib/org.eclipse.jetty-jetty-io-9.4.57.v20241219.jar [22]
+- lib/org.eclipse.jetty-jetty-security-9.4.57.v20241219.jar [22]
+- lib/org.eclipse.jetty-jetty-server-9.4.57.v20241219.jar [22]
+- lib/org.eclipse.jetty-jetty-servlet-9.4.57.v20241219.jar [22]
+- lib/org.eclipse.jetty-jetty-util-9.4.57.v20241219.jar [22]
+- lib/org.eclipse.jetty-jetty-util-ajax-9.4.57.v20241219.jar [22]
+- lib/org.rocksdb-rocksdbjni-9.9.3.jar [23]
 - lib/com.beust-jcommander-1.82.jar [24]
 - lib/com.yahoo.datasketches-memory-0.8.3.jar [25]
 - lib/com.yahoo.datasketches-sketches-core-0.8.3.jar [25]
diff --git a/bookkeeper-dist/src/main/resources/NOTICE-all.bin.txt 
b/bookkeeper-dist/src/main/resources/NOTICE-all.bin.txt
index 6179798a87..71db5d9392 100644
--- a/bookkeeper-dist/src/main/resources/NOTICE-all.bin.txt
+++ b/bookkeeper-dist/src/main/resources/NOTICE-all.bin.txt
@@ -93,13 +93,13 @@ SoundCloud Ltd. (http://soundcloud.com/).
 This product includes software developed as part of the
 Ocelli project by Netflix Inc. (https://github.com/Netflix/ocelli/).
 
------------------------------------------------------------------------------------
-- lib/org.eclipse.jetty-jetty-http-9.4.53.v20231009.jar
-- lib/org.eclipse.jetty-jetty-io-9.4.53.v20231009.jar
-- lib/org.eclipse.jetty-jetty-security-9.4.53.v20231009.jar
-- lib/org.eclipse.jetty-jetty-server-9.4.53.v20231009.jar
-- lib/org.eclipse.jetty-jetty-servlet-9.4.53.v20231009.jar
-- lib/org.eclipse.jetty-jetty-util-9.4.53.v20231009.jar
-- lib/org.eclipse.jetty-jetty-util-ajax-9.4.53.v20231009.jar
+- lib/org.eclipse.jetty-jetty-http-9.4.57.v20241219.jar
+- lib/org.eclipse.jetty-jetty-io-9.4.57.v20241219.jar
+- lib/org.eclipse.jetty-jetty-security-9.4.57.v20241219.jar
+- lib/org.eclipse.jetty-jetty-server-9.4.57.v20241219.jar
+- lib/org.eclipse.jetty-jetty-servlet-9.4.57.v20241219.jar
+- lib/org.eclipse.jetty-jetty-util-9.4.57.v20241219.jar
+- lib/org.eclipse.jetty-jetty-util-ajax-9.4.57.v20241219.jar
 
 ==============================================================
  Jetty Web Container
@@ -121,7 +121,7 @@ Jetty is dual licensed under both
 
 Jetty may be distributed under either license.
 
-lib/org.eclipse.jetty-jetty-util-9.4.53.v20231009.jar bundles UnixCrypt
+lib/org.eclipse.jetty-jetty-util-9.4.57.v20241219.jar bundles UnixCrypt
 
 The UnixCrypt.java code implements the one way cryptography used by
 Unix systems for simple password protection.  Copyright 1996 Aki Yoshida,
diff --git a/bookkeeper-dist/src/main/resources/NOTICE-server.bin.txt 
b/bookkeeper-dist/src/main/resources/NOTICE-server.bin.txt
index 6c4b91c892..7c93a8c247 100644
--- a/bookkeeper-dist/src/main/resources/NOTICE-server.bin.txt
+++ b/bookkeeper-dist/src/main/resources/NOTICE-server.bin.txt
@@ -75,13 +75,13 @@ SoundCloud Ltd. (http://soundcloud.com/).
 This product includes software developed as part of the
 Ocelli project by Netflix Inc. (https://github.com/Netflix/ocelli/).
 
------------------------------------------------------------------------------------
-- lib/org.eclipse.jetty-jetty-http-9.4.53.v20231009.jar
-- lib/org.eclipse.jetty-jetty-io-9.4.53.v20231009.jar
-- lib/org.eclipse.jetty-jetty-security-9.4.53.v20231009.jar
-- lib/org.eclipse.jetty-jetty-server-9.4.53.v20231009.jar
-- lib/org.eclipse.jetty-jetty-servlet-9.4.53.v20231009.jar
-- lib/org.eclipse.jetty-jetty-util-9.4.53.v20231009.jar
-- lib/org.eclipse.jetty-jetty-util-ajax-9.4.53.v20231009.jar
+- lib/org.eclipse.jetty-jetty-http-9.4.57.v20241219.jar
+- lib/org.eclipse.jetty-jetty-io-9.4.57.v20241219.jar
+- lib/org.eclipse.jetty-jetty-security-9.4.57.v20241219.jar
+- lib/org.eclipse.jetty-jetty-server-9.4.57.v20241219.jar
+- lib/org.eclipse.jetty-jetty-servlet-9.4.57.v20241219.jar
+- lib/org.eclipse.jetty-jetty-util-9.4.57.v20241219.jar
+- lib/org.eclipse.jetty-jetty-util-ajax-9.4.57.v20241219.jar
 
 ==============================================================
  Jetty Web Container
@@ -103,7 +103,7 @@ Jetty is dual licensed under both
 
 Jetty may be distributed under either license.
 
-lib/org.eclipse.jetty-jetty-util-9.4.53.v20231009.jar bundles UnixCrypt
+lib/org.eclipse.jetty-jetty-util-9.4.57.v20241219.jar bundles UnixCrypt
 
 The UnixCrypt.java code implements the one way cryptography used by
 Unix systems for simple password protection.  Copyright 1996 Aki Yoshida,
diff --git a/pom.xml b/pom.xml
index 9e503def15..4135f10acb 100644
--- a/pom.xml
+++ b/pom.xml
@@ -142,7 +142,7 @@
     <hdrhistogram.version>2.1.10</hdrhistogram.version>
     <jackson.version>2.17.1</jackson.version>
     <jcommander.version>1.82</jcommander.version>
-    <jetty.version>9.4.53.v20231009</jetty.version>
+    <jetty.version>9.4.57.v20241219</jetty.version>
     <jmh.version>1.37</jmh.version>
     <jmock.version>2.8.2</jmock.version>
     <jsoup.version>1.15.3</jsoup.version>

(bookkeeper) branch branch-4.17 updated: Upgrade Jetty to 9.4.57.v20241219 to address CVE-2024-6763 (#4600)

Reply via email to