JinwooHwang opened a new pull request, #7992: URL: https://github.com/apache/geode/pull/7992
## Summary Remediation of CVE-2026-1605 and CVE-2025-11143. The Jetty embedded web server from **12.0.27** to **12.0.33**. ## Changes | File | Change | |------|--------| | `build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy` | Bumped `jetty.version` to `12.0.33` | | `geode-assembly/src/distributedTest/java/org/apache/geode/session/tests/GenericAppServerInstall.java` | Updated hardcoded `JETTY_VERSION` constant to `12.0.33` | | `geode-assembly/src/integrationTest/resources/assembly_content.txt` | Updated Jetty jar filenames in assembly snapshot | | `geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt` | Updated Jetty jar filenames in gfsh classpath snapshot | | `geode-server-all/src/integrationTest/resources/dependency_classpath.txt` | Updated Jetty jar filenames in server-all classpath snapshot | ## Notes - Jetty 12.0.x targets Jakarta EE 10 (Servlet 6.0). All modules remain under the `ee10` namespace (`org.eclipse.jetty.ee10`). - The version is defined centrally in `DependencyConstraints.groovy` and hardcoded independently in `GenericAppServerInstall.java` (used for distributed session tests that download the Jetty distribution zip). <!-- Thank you for submitting a contribution to Apache Geode. --> <!-- In order to streamline review of your contribution we ask that you ensure you've taken the following steps. --> ### For all changes, please confirm: - [x] Is there a JIRA ticket associated with this PR? Is it referenced in the commit message? - [x] Has your PR been rebased against the latest commit within the target branch (typically `develop`)? - [x] Is your initial contribution a single, squashed commit? - [x] Does `gradlew build` run cleanly? - [ ] Have you written or updated unit tests to verify your changes? - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
