I'll proceed and merge https://github.com/apache/pulsar/pull/25534 to branch-4.0.
-Lari On 2026/04/16 12:01:29 Lari Hotari wrote: > Hi everyone, > > I'm proposing upgrading from Jetty 9.4.58 to Jetty 12.1.8 in the 4.0.x > branch to address multiple CVEs in Jetty 9.4.x: > > - CVE-2026-5795 (High) - affects <=9.4.60 > - CVE-2026-2332 (High) - affects <=9.4.59 > - CVE-2025-11143 (Low) - affects <=9.4.58 > > Jetty 9.4.x is EOL and only receives commercial non-OSS support. These > CVEs will not be fixed in the open-source 9.4.x line. Jetty 12.1.x is > the current actively maintained release series with long-term support. > > The implementation is available in PR > https://github.com/apache/pulsar/pull/25534, which cherry-picks and > adapts the Jetty 12 upgrade work already done on branch-4.2 and master > (#25100, #25155, #25169) to branch-4.0. > > Breaking changes: > > There are a few breaking changes to be aware of: > > 1. AdditionalServlet interface change > The AdditionalServlet interface has a breaking change because the > existing interface is coupled directly to the Jetty 9 ServletHolder > class. This coupling has been removed. > > 2. Java version requirement for Athenz authentication > pulsar-client-auth-athenz requires Java 17+ since it depends on Jetty > which requires Java 17+ after the upgrade. The Pulsar Client and > Pulsar Admin client themselves remain Java 8+ compatible. > > 3. Prometheus metrics provider class relocation > The Prometheus metrics provider classes for BookKeeper and ZooKeeper > have been relocated, because the default classes depended on Jetty > 9.4.x. If you are using the previous default configuration, update the > following settings: > > bookkeeper.conf / statsProviderClass: > Old: org.apache.bookkeeper.stats.prometheus.PrometheusMetricsProvider > New: > org.apache.pulsar.metrics.prometheus.bookkeeper.PrometheusMetricsProvider > > zookeeper.conf / metricsProvider.className: > Old: org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider > New: > org.apache.pulsar.metrics.prometheus.zookeeper.PrometheusMetricsProvider > > The high-severity CVEs in Jetty 9.4.x are a concrete security concern > for Pulsar deployments, with severity depending on exposure and > configuration. They are also a practical blocker under many corporate > security policies, where high-severity (CVSS >7.0) CVEs are not > acceptable in dependencies or deployed software. Since Jetty 9.4.x is > EOL without open-source fixes, the only viable path forward is > upgrading to a supported Jetty version. The breaking changes are > limited in scope -- the AdditionalServlet interface change affects a > plugin API with likely few external implementations, the Athenz Java > 17 requirement only affects that specific auth provider, and the > metrics provider class names are a straightforward configuration > update. > > I'd appreciate feedback on this proposal. I'll proceed with merging > https://github.com/apache/pulsar/pull/25534 after 72 hours unless > there are objections. > > Thanks, > Lari >
