Hi all, Since we upgraded the master branch to JDK 17, the door is now open for a Jetty upgrade. Multiple approaches has been raised recently around this topic, I’d like to bring them under the umbrella of this new e-mail thread.
- First, we can “just” upgrade on the master branch, since JDK 17 unblocked it. Downside is it cannot be backported to earlier branches, so users will take advantage of that when they will upgrade to 3.10.0, - Second approach is quoted below in Lari’s e-mail, - Third, which I’ve read in the Jira ticket from Diego Rivera [1], which is about a multi-release JAR. Personally I find it too cumbersome to go forward with. Please share your thoughts. Regards, Andor [1] https://issues.apache.org/jira/browse/ZOOKEEPER-5038?focusedCommentId=18089529&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-18089529 > On May 4, 2026, at 15:14, Lari Hotari <[email protected]> wrote: > > I'm just wondering if we could first decouple the code that uses Jetty from > zookeeper-server. > > I added this comment to ZOOKEEPER-5038: > ===== > Since the recurring blocker for upgrading Jetty is the Java baseline (Jetty > 12 requires Java 17, while ZooKeeper still supports Java 8/11), it would be > useful to decouple the HTTP admin server from zookeeper-server entirely. > > Concretely, the org.apache.zookeeper.server.admin package could be moved > out of the zookeeper-server module into a new, separate module — for > example zookeeper-server-http-admin. The rest of ZooKeeper would keep its > current Java 8/11 compatibility, and only this optional module would > require Java 17 (and pull in Jetty 12). > > To avoid a hard compile-time dependency from zookeeper-server on the new > module, the admin server could be loaded via reflection at runtime when it > is enabled in the configuration. That way users on older JDKs simply don't > enable the HTTP admin server, while users on Java 17+ get a fully > maintained Jetty. > > This would also let the Jetty upgrade proceed independently of the broader > Java baseline discussion. > ===== > > Would this make sense? > > -Lari > > On Mon, 4 May 2026 at 22:50, Andor Molnár <[email protected]> wrote: > >> Absolutely. That’s actually my original intention for the JDK 17 upgrade. >> We should definitely upgrade to Jetty 12 once the JDK upgraded landed. >> >> Thanks for the heads-up. >> >> Andor >> >> >> >>> On May 4, 2026, at 05:39, Lari Hotari <[email protected]> wrote: >>> >>> Hi all, >>> >>> I'd like to raise a point related to the discussion about ZooKeeper's >>> minimum supported Java version. >>> >>> Jetty 9.x is end-of-life and no longer receives OSS security updates. >> There >>> are unaddressed CVEs that affect the 9.4.x line: >>> >>> - CVE-2026-2332 (High) – HTTP request smuggling via chunked extension >>> parsing; affects Jetty <= 9.4.59. Fixed in 9.4.60. >>> - CVE-2025-11143 (Low) – differential URI parsing that can lead to >> security >>> bypass; affects Jetty <= 9.4.58. Fixed in 9.4.59. >>> >>> The catch is that 9.4.59 and 9.4.60 are only available to customers >> paying >>> for commercial support (e.g. Webtide/HeroDevs NES). OSS projects can no >>> longer obtain security fixes for Jetty 9.x through Maven Central. >>> >>> The supported community line is Jetty 12.x, which requires Java 17 as the >>> baseline. >>> >>> In Apache Pulsar, we've had to carry a fairly invasive workaround to >>> upgrade to Jetty 12.x while still depending on ZooKeeper: we patch / >> shadow >>> the relevant Pulsar-side integration classes (the equivalents of >>> org.apache.zookeeper.server.admin and >>> org.apache.zookeeper.metrics.prometheus) so Pulsar can run on Jetty 12.x >>> even though ZooKeeper still pulls in Jetty 9.x. We'd very much like to >> drop >>> this hack, but that requires ZooKeeper itself to move off Jetty 9.x. >>> >>> Given that Jetty 12.x requires Java 17, raising ZooKeeper's Java baseline >>> to 17 would unblock the Jetty upgrade and close the CVE exposure for >>> downstream OSS users at the same time. Would the project consider tying >> the >>> Java 17 baseline discussion to a Jetty 12 migration on the same release >>> line? >>> >>> Happy to help with the migration work if there's interest. >>> >>> -Lari
