[jira] [Commented] (KAFKA-12359) Update Jetty to 11

Mon, 01 Mar 2021 15:49:04 -0800 


    [ 
https://issues.apache.org/jira/browse/KAFKA-12359?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17293247#comment-17293247
 ] 

John Stacy commented on KAFKA-12359:
------------------------------------

Due to this vulnerability, you might want to bump to 11.0.1: 
https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7

> Update Jetty to 11
> ------------------
>
>                 Key: KAFKA-12359
>                 URL: https://issues.apache.org/jira/browse/KAFKA-12359
>             Project: Kafka
>          Issue Type: Improvement
>          Components: KafkaConnect, tools
>            Reporter: Dongjin Lee
>            Assignee: Dongjin Lee
>            Priority: Major
>
> I found this problem when I was working on 
> [KAFKA-12324|https://issues.apache.org/jira/browse/KAFKA-12324].
> As of present, Kafka Connect and Trogdor are using Jetty 9. Although Jetty's 
> stable release is 9.4, the Jetty community is now moving their focus to Jetty 
> 10 and 11, which requires Java 11 as a prerequisite. To minimize potential 
> security vulnerability, Kafka should migrate into Java 11 + Jetty 11 as soon 
> as Jetty 9.4 reaches the end of life. As a note, [Jetty 9.2 reached End of 
> Life in March 
> 2018|https://www.eclipse.org/lists/jetty-announce/msg00116.html], and 9.3 
> also did in [February 
> 2020|https://www.eclipse.org/lists/jetty-announce/msg00140.html].
> In other words, the necessity of moving to Java 11 is heavily affected by 
> Jetty's maintenance plan. Jetty 9.4 seems like still be supported for a 
> certain period of time, but it is worth being aware of these relationships 
> and having a migration plan.
> Updating Jetty to 11 is not resolved by simply changing the version. Along 
> with its API changes, we have to cope with additional dependencies, [Java EE 
> class name changes|https://webtide.com/renaming-from-javax-to-jakarta/], 
> Making Jackson to compatible with the changes, etc.
> As a note: for the difference between Jetty 10 and 11, see 
> [here|https://webtide.com/jetty-10-and-11-have-arrived/] - in short, "Jetty 
> 11 is identical to Jetty 10 except that the javax.* packages now conform to 
> the new jakarta.* namespace.".



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to