Upgrade Jetty to 9.4.57.v20241219 to mitigate CVE-2024-6763#4600
Merged
hezhangjian merged 1 commit intoapache:masterfrom May 6, 2025
Merged
Upgrade Jetty to 9.4.57.v20241219 to mitigate CVE-2024-6763#4600hezhangjian merged 1 commit intoapache:masterfrom
hezhangjian merged 1 commit intoapache:masterfrom
Conversation
lhotari
changed the title
|
Jetty 9 is EOL and should not be used. |
Member
Author
@joakime Yes, we are aware of that. There's work in progress to upgrade to Jetty 12. |
Feel free to reach out to us for any help you need.
|
Member
|
rerun failure checks |
liudezhi2098
approved these changes
May 6, 2025
hezhangjian
approved these changes
May 6, 2025
StevenLuMT
pushed a commit
that referenced
this pull request
Jun 12, 2025
### Motivation & Changes Upgrade Jetty to 9.4.57.v20241219 to address CVE-2024-6763 Jetty 9.4.57.v20241219 contains backported CVE-2024-6763 fix in jetty/jetty.project#12532 although it's not explicitly mentioned and most security scanners don't yet contain the information that it's been addressed in 9.4.57. More details: * jetty/jetty.project#12630 * https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.57.v20241219 Note: The backport is a partial mitigation and Jetty 9.4.57 will continue to be marked as vulnerable. There's a discussion and explanation here: https://gitlab.eclipse.org/security/cve-assignement/-/issues/25#note_2968611 (cherry picked from commit 99eb63a)
StevenLuMT
pushed a commit
that referenced
this pull request
Jun 12, 2025
### Motivation & Changes Upgrade Jetty to 9.4.57.v20241219 to address CVE-2024-6763 Jetty 9.4.57.v20241219 contains backported CVE-2024-6763 fix in jetty/jetty.project#12532 although it's not explicitly mentioned and most security scanners don't yet contain the information that it's been addressed in 9.4.57. More details: * jetty/jetty.project#12630 * https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.57.v20241219 Note: The backport is a partial mitigation and Jetty 9.4.57 will continue to be marked as vulnerable. There's a discussion and explanation here: https://gitlab.eclipse.org/security/cve-assignement/-/issues/25#note_2968611 (cherry picked from commit 99eb63a)
StevenLuMT
added a commit
to StevenLuMT/bookkeeper
that referenced
this pull request
Jul 6, 2025
StevenLuMT
added a commit
to StevenLuMT/bookkeeper
that referenced
this pull request
Jul 6, 2025
StevenLuMT
added a commit
to StevenLuMT/bookkeeper
that referenced
this pull request
Jul 6, 2025
This was referenced Jul 6, 2025
StevenLuMT
added a commit
to StevenLuMT/bookkeeper
that referenced
this pull request
Jul 6, 2025
StevenLuMT
added a commit
that referenced
this pull request
Jul 7, 2025
StevenLuMT
added a commit
that referenced
this pull request
Jul 7, 2025
StevenLuMT
added a commit
to StevenLuMT/bookkeeper
that referenced
this pull request
Jul 7, 2025
priyanshu-ctds
pushed a commit
to datastax/bookkeeper
that referenced
this pull request
Jul 11, 2025
### Motivation & Changes Upgrade Jetty to 9.4.57.v20241219 to address CVE-2024-6763 Jetty 9.4.57.v20241219 contains backported CVE-2024-6763 fix in jetty/jetty.project#12532 although it's not explicitly mentioned and most security scanners don't yet contain the information that it's been addressed in 9.4.57. More details: * jetty/jetty.project#12630 * https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.57.v20241219 Note: The backport is a partial mitigation and Jetty 9.4.57 will continue to be marked as vulnerable. There's a discussion and explanation here: https://gitlab.eclipse.org/security/cve-assignement/-/issues/25#note_2968611 (cherry picked from commit 99eb63a) (cherry picked from commit 7c58be4)
priyanshu-ctds
pushed a commit
to datastax/bookkeeper
that referenced
this pull request
Jul 11, 2025
…4-6763 (apache#4600) (apache#4632) (cherry picked from commit 770bd8a)
sandeep-ctds
pushed a commit
to datastax/bookkeeper
that referenced
this pull request
Jul 22, 2025
### Motivation & Changes Upgrade Jetty to 9.4.57.v20241219 to address CVE-2024-6763 Jetty 9.4.57.v20241219 contains backported CVE-2024-6763 fix in jetty/jetty.project#12532 although it's not explicitly mentioned and most security scanners don't yet contain the information that it's been addressed in 9.4.57. More details: * jetty/jetty.project#12630 * https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.57.v20241219 Note: The backport is a partial mitigation and Jetty 9.4.57 will continue to be marked as vulnerable. There's a discussion and explanation here: https://gitlab.eclipse.org/security/cve-assignement/-/issues/25#note_2968611 (cherry picked from commit 99eb63a) (cherry picked from commit 7c58be4)
sandeep-ctds
pushed a commit
to datastax/bookkeeper
that referenced
this pull request
Jul 22, 2025
…4-6763 (apache#4600) (apache#4632) (cherry picked from commit 770bd8a)
manas-ctds
pushed a commit
to datastax/bookkeeper
that referenced
this pull request
Feb 27, 2026
### Motivation & Changes Upgrade Jetty to 9.4.57.v20241219 to address CVE-2024-6763 Jetty 9.4.57.v20241219 contains backported CVE-2024-6763 fix in jetty/jetty.project#12532 although it's not explicitly mentioned and most security scanners don't yet contain the information that it's been addressed in 9.4.57. More details: * jetty/jetty.project#12630 * https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.57.v20241219 Note: The backport is a partial mitigation and Jetty 9.4.57 will continue to be marked as vulnerable. There's a discussion and explanation here: https://gitlab.eclipse.org/security/cve-assignement/-/issues/25#note_2968611 (cherry picked from commit 99eb63a) (cherry picked from commit cda3c6b)
manas-ctds
pushed a commit
to datastax/bookkeeper
that referenced
this pull request
Feb 27, 2026
…4-6763 (apache#4600) (apache#4631) (cherry picked from commit add6808)
dlg99
pushed a commit
to datastax/bookkeeper
that referenced
this pull request
Feb 27, 2026
### Motivation & Changes Upgrade Jetty to 9.4.57.v20241219 to address CVE-2024-6763 Jetty 9.4.57.v20241219 contains backported CVE-2024-6763 fix in jetty/jetty.project#12532 although it's not explicitly mentioned and most security scanners don't yet contain the information that it's been addressed in 9.4.57. More details: * jetty/jetty.project#12630 * https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.57.v20241219 Note: The backport is a partial mitigation and Jetty 9.4.57 will continue to be marked as vulnerable. There's a discussion and explanation here: https://gitlab.eclipse.org/security/cve-assignement/-/issues/25#note_2968611 (cherry picked from commit 99eb63a) (cherry picked from commit cda3c6b)
dlg99
pushed a commit
to datastax/bookkeeper
that referenced
this pull request
Feb 27, 2026
…4-6763 (apache#4600) (apache#4631) (cherry picked from commit add6808)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation & Changes
Upgrade Jetty to 9.4.57.v20241219 to address CVE-2024-6763
Jetty 9.4.57.v20241219 contains backported CVE-2024-6763 fix in jetty/jetty.project#12532 although it's not explicitly mentioned and most security scanners don't yet contain the information that it's been addressed in 9.4.57.
More details:
Note: The backport is a partial mitigation and Jetty 9.4.57 will continue to be marked as vulnerable. There's a discussion and explanation here: https://gitlab.eclipse.org/security/cve-assignement/-/issues/25#note_2968611