Hi, Thanks Lari, this is a good point. I also wanted to mention the Jetty upgrade which I already started (but not yet have a PR) under ZOOKEEPER-5038 and that will also require Java 17.
Best, Dávid Lari Hotari <[email protected]> ezt írta (időpont: 2026. máj. 4., H, 12:40): > Hi all, > > I'd like to raise a point related to the discussion about ZooKeeper's > minimum supported Java version. > > Jetty 9.x is end-of-life and no longer receives OSS security updates. There > are unaddressed CVEs that affect the 9.4.x line: > > - CVE-2026-2332 (High) – HTTP request smuggling via chunked extension > parsing; affects Jetty <= 9.4.59. Fixed in 9.4.60. > - CVE-2025-11143 (Low) – differential URI parsing that can lead to security > bypass; affects Jetty <= 9.4.58. Fixed in 9.4.59. > > The catch is that 9.4.59 and 9.4.60 are only available to customers paying > for commercial support (e.g. Webtide/HeroDevs NES). OSS projects can no > longer obtain security fixes for Jetty 9.x through Maven Central. > > The supported community line is Jetty 12.x, which requires Java 17 as the > baseline. > > In Apache Pulsar, we've had to carry a fairly invasive workaround to > upgrade to Jetty 12.x while still depending on ZooKeeper: we patch / shadow > the relevant Pulsar-side integration classes (the equivalents of > org.apache.zookeeper.server.admin and > org.apache.zookeeper.metrics.prometheus) so Pulsar can run on Jetty 12.x > even though ZooKeeper still pulls in Jetty 9.x. We'd very much like to drop > this hack, but that requires ZooKeeper itself to move off Jetty 9.x. > > Given that Jetty 12.x requires Java 17, raising ZooKeeper's Java baseline > to 17 would unblock the Jetty upgrade and close the CVE exposure for > downstream OSS users at the same time. Would the project consider tying the > Java 17 baseline discussion to a Jetty 12 migration on the same release > line? > > Happy to help with the migration work if there's interest. > > -Lari > > On Thu, 30 Apr 2026 at 02:14, Andor Molnár <[email protected]> wrote: > > > I’m trying to extract the relevant information from the thread for you. > > Previously I wrote something like: > > > > “… we could make a leap and make JDK 17 the minimum runtime and compile > > versions for the master branch. > > > > Once the change is merged to master, we'll backport it to branch-3.9 as > > follows: > > > > * minimum JDK for building: 17 > > * minimum JRE for running: 8 (no change) “ > > > > As far as I know, that’s what we agreed on, but unfortunately, no one has > > been willing to create a PR for it since then. Are you happy to work on > it? > > > > Andor > > > > > > > > > On Apr 29, 2026, at 13:12, Andor Molnár <[email protected]> wrote: > > > > > > Hi David, > > > > > > Thank you, your efforts are much appreciated. > > > > > > Yes. At the moment we still support Java 8 on all active branches. > > > There’s only one exception: Owasp build process requires Java 11 to > run. > > > > > > There was a bunch of discussions [1] and [2] recently regarding how > > should we > > > upgrade and which JDK versions should we support on our branches. You > > might > > > want to review them before going forward. > > > > > > [1] https://lists.apache.org/thread/42537mr70g3n8srzxg406xlssbcsqr7w > > > [2] https://lists.apache.org/thread/ng8gq261ts5znzt6wb3zgjwqpsoqfftv > > > > > > Regards, > > > Andor > > > > > > > > > > > > > > >> On Apr 29, 2026, at 07:57, Dávid Paksy <[email protected]> wrote: > > >> > > >> Hi ZooKeeper devs, > > >> > > >> I started to work on JDK25 support in ZooKeeper. The compilation works > > fine > > >> but for the tests to work I created ZOOKEEPER-5039 to upgrade Mockito > to > > >> 5.23.0. > > >> > > >> I put up #2376 PR and I saw, the GH: Action builds at the moment are > > done > > >> using Java 8 and Java 11. > > >> > > >> Mockito 5.x requires Java 11 or higher. It will not work with Java 8. > > >> Mockito 4.x supported Java 8 but Mockito 4.x does not support Java 25. > > >> > > >> Do we have to support Java 8 on ZooKeeper master branch? I did not > found > > >> any documentation regarding this. > > >> > > >> Thanks in advance, > > >> Dávid > > > > > > > >
