[ https://issues.apache.org/jira/browse/ZOOKEEPER-4696?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17727562#comment-17727562 ]
Szucs Villo commented on ZOOKEEPER-4696: ---------------------------------------- I started working on the patch. I think we need to upgrade the main version of Jetty because all of the 9.4-based versions have CVE problems. See here: [https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-server]. We should upgrade Jetty to 11.0.15, which is the latest version. For this, we need quite a few code changes because of the deprecated methods and classes. [https://www.eclipse.org/jetty/javadoc/jetty-10/deprecated-list.html] > Update for Zookeeper latest version > ------------------------------------ > > Key: ZOOKEEPER-4696 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4696 > Project: ZooKeeper > Issue Type: Bug > Components: security, server > Affects Versions: 3.8.0 > Reporter: Dilip anand > Assignee: Szucs Villo > Priority: Critical > Labels: CVE > > Hi team, > We ran a scan for security vulnerability fixes,we have seen CVE's that > are affected for zookeeper and version of zookeeper we are using is 3.8.0 > .Here are the CVE's which are affected with zookeeper > CVE-2022-32221,CVE-2023-23914,CVE-2023-27533,CVE-2023-27534,CVE-2022-22576,CVE-2020-8169,CVE-2020-8285,CVE-2020-8286,CVE-2021-22926,CVE-2021-22946,CVE-2022-27775,CVE-2022-27781,CVE-2022-27782,CVE-2023-23916 > which do not have any reports in red hat website. we want to know what > version of zookeeper will clear these CVEs and when it'll be released? > Regards, > Dilip -- This message was sent by Atlassian Jira (v8.20.10#820010)