(zookeeper) branch master updated: ZOOKEEPER-4932: The newest version of zookeeper includes Jetty versiob 9.4.57.x which has CVE-2024-6763 issue

Fri, 01 Aug 2025 14:36:03 -0700 

This is an automated email from the ASF dual-hosted git repository.

andor pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/zookeeper.git


The following commit(s) were added to refs/heads/master by this push:
     new 06b418b62 ZOOKEEPER-4932: The newest version of zookeeper includes 
Jetty versiob 9.4.57.x which has CVE-2024-6763 issue
06b418b62 is described below

commit 06b418b62d281c2259dee3eccb9885393532a204
Author: Andor Molnár <[email protected]>
AuthorDate: Fri Aug 1 16:35:51 2025 -0500

    ZOOKEEPER-4932: The newest version of zookeeper includes Jetty versiob 
9.4.57.x which has CVE-2024-6763 issue
    
    ZOOKEEPER-4932: Put back accidentally removed owasp suppression
    Update owaspSuppressions.xml
    Co-authored-by: Kezhu Wang <[email protected]>
    Reviewers: kezhuw
    Author: anmolnar
    Closes #2288 from anmolnar/ZOOKEEPER-4932
---
 owaspSuppressions.xml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/owaspSuppressions.xml b/owaspSuppressions.xml
index 5b9719067..2db9d7c15 100644
--- a/owaspSuppressions.xml
+++ b/owaspSuppressions.xml
@@ -18,6 +18,23 @@
 -->
 
 <suppressions 
xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd";>
+   <suppress>
+      <!--
+         We have updated jetty[1] to 9.4.57.v20241219[2] which includes a 
fix[3] for CVE-2024-6763[4].
+         But it is not listed as fixed version since 9.x is EOL[5]. So we 
still have to suppress this
+         to pass vulnerabilities check. Besides above, ZooKeeper does not use 
HttpURI[6] thus should
+         not be affected by this CVE anyway.
+
+         Refs:
+         [1]: https://github.com/apache/zookeeper/pull/2220
+         [2]: 
https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.57.v20241219
+         [3]: https://github.com/jetty/jetty.project/pull/12532
+         [4]: https://github.com/advisories/GHSA-qh8g-58pp-2wxh
+         [5]: 
https://gitlab.eclipse.org/security/cve-assignement/-/issues/25#note_2968611
+         [6]: https://issues.apache.org/jira/browse/ZOOKEEPER-4876
+      -->
+      <cve>CVE-2024-6763</cve>
+   </suppress>
    <suppress>
       <!-- ZOOKEEPER-3217 -->
       <cve>CVE-2018-8088</cve>

Reply via email to