lhotari opened a new pull request, #25534: URL: https://github.com/apache/pulsar/pull/25534
### Motivation Upgrade from Jetty 9.4.58.v20250224 to Jetty 12.1.8 to address multiple CVEs in Jetty 9.4.x: - CVE-2026-5795 (High) - affects <=9.4.60 - CVE-2026-2332 (High) - affects <=9.4.59 - CVE-2025-11143 (Low) - affects <=9.4.58 Jetty 9.4.x is EOL and only receives commercial non-OSS support. ### Breaking changes This upgrade contains a breaking change in the org.apache.pulsar.broker.web.plugin.servlet.AdditionalServlet interface due to the existing interface coupling directly to Jetty 9 implementation details with the use of org.eclipse.jetty.servlet.ServletHolder class in the AdditionalServlet interface. This coupling has been removed. pulsar-client-auth-athenz requires Java 17+ since it depends on Jetty. The Pulsar Client and Pulsar Admin client remain Java 8+ compatible. * `statsProviderClass` in `bookkeeper.conf` should be set to `org.apache.pulsar.metrics.prometheus.bookkeeper.PrometheusMetricsProvider` if the current value is the previous default `org.apache.bookkeeper.stats.prometheus.PrometheusMetricsProvider`. * `metricsProvider.className` in `zookeeper.conf` should be set to `org.apache.pulsar.metrics.prometheus.zookeeper.PrometheusMetricsProvider` if the current values is the previous default `org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider` ### Modifications Upgrades to Jetty 12.1.8 by backporting these changes to branch-4.x: (cherry picked from commit 39dbbf01a264099a0f51f71ef174be66694706ef) (#25100) (cherry picked from commit f5fc992bb18f03ab9daddd5d3e741d84331ba7d0) (#25155) (cherry picked from commit 7b87a6a2d3732db9ab55935cdcfc55ad2a2ec45a) (#25169) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
