+1 Regards, Penghui
On Thu, Apr 16, 2026 at 5:14 AM Baodi Shi <[email protected]> wrote: > +1 Although this is a breaking change, it does not affect client behavior. > Thanks, > Baodi Shi > > Lari Hotari <[email protected]> 于2026年4月16日周四 20:03写道: > > > > Hi everyone, > > > > I'm proposing upgrading from Jetty 9.4.58 to Jetty 12.1.8 in the 4.0.x > > branch to address multiple CVEs in Jetty 9.4.x: > > > > - CVE-2026-5795 (High) - affects <=9.4.60 > > - CVE-2026-2332 (High) - affects <=9.4.59 > > - CVE-2025-11143 (Low) - affects <=9.4.58 > > > > Jetty 9.4.x is EOL and only receives commercial non-OSS support. These > > CVEs will not be fixed in the open-source 9.4.x line. Jetty 12.1.x is > > the current actively maintained release series with long-term support. > > > > The implementation is available in PR > > https://github.com/apache/pulsar/pull/25534, which cherry-picks and > > adapts the Jetty 12 upgrade work already done on branch-4.2 and master > > (#25100, #25155, #25169) to branch-4.0. > > > > Breaking changes: > > > > There are a few breaking changes to be aware of: > > > > 1. AdditionalServlet interface change > > The AdditionalServlet interface has a breaking change because the > > existing interface is coupled directly to the Jetty 9 ServletHolder > > class. This coupling has been removed. > > > > 2. Java version requirement for Athenz authentication > > pulsar-client-auth-athenz requires Java 17+ since it depends on Jetty > > which requires Java 17+ after the upgrade. The Pulsar Client and > > Pulsar Admin client themselves remain Java 8+ compatible. > > > > 3. Prometheus metrics provider class relocation > > The Prometheus metrics provider classes for BookKeeper and ZooKeeper > > have been relocated, because the default classes depended on Jetty > > 9.4.x. If you are using the previous default configuration, update the > > following settings: > > > > bookkeeper.conf / statsProviderClass: > > Old: org.apache.bookkeeper.stats.prometheus.PrometheusMetricsProvider > > New: > org.apache.pulsar.metrics.prometheus.bookkeeper.PrometheusMetricsProvider > > > > zookeeper.conf / metricsProvider.className: > > Old: org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider > > New: > org.apache.pulsar.metrics.prometheus.zookeeper.PrometheusMetricsProvider > > > > The high-severity CVEs in Jetty 9.4.x are a concrete security concern > > for Pulsar deployments, with severity depending on exposure and > > configuration. They are also a practical blocker under many corporate > > security policies, where high-severity (CVSS >7.0) CVEs are not > > acceptable in dependencies or deployed software. Since Jetty 9.4.x is > > EOL without open-source fixes, the only viable path forward is > > upgrading to a supported Jetty version. The breaking changes are > > limited in scope -- the AdditionalServlet interface change affects a > > plugin API with likely few external implementations, the Athenz Java > > 17 requirement only affects that specific auth provider, and the > > metrics provider class names are a straightforward configuration > > update. > > > > I'd appreciate feedback on this proposal. I'll proceed with merging > > https://github.com/apache/pulsar/pull/25534 after 72 hours unless > > there are objections. > > > > Thanks, > > Lari >
