Upgrade Jetty to 9.4.57.v20241219 to address CVE-2024-6763 (apache#4600)

lhotari · dlg99 · commit b32ad0a200d5 · 2026-02-27T07:59:24.000-08:00
### Motivation & Changes Upgrade Jetty to 9.4.57.v20241219 to address CVE-2024-6763 Jetty 9.4.57.v20241219 contains backported CVE-2024-6763 fix in jetty/jetty.project#12532 although it's not explicitly mentioned and most security scanners don't yet contain the information that it's been addressed in 9.4.57. More details: * jetty/jetty.project#12630 * https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.57.v20241219 Note: The backport is a partial mitigation and Jetty 9.4.57 will continue to be marked as vulnerable. There's a discussion and explanation here: https://gitlab.eclipse.org/security/cve-assignement/-/issues/25#note_2968611 (cherry picked from commit 99eb63a) (cherry picked from commit cda3c6b)
diff --git a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
@@ -264,14 +264,14 @@ Apache Software License, Version 2.
 - lib/org.apache.zookeeper-zookeeper-3.9.3.jar [21]
 - lib/org.apache.zookeeper-zookeeper-jute-3.9.3.jar [21]
 - lib/org.apache.zookeeper-zookeeper-3.9.3-tests.jar [21]
-- lib/org.eclipse.jetty-jetty-http-9.4.53.v20231009.jar [22]
-- lib/org.eclipse.jetty-jetty-io-9.4.53.v20231009.jar [22]
-- lib/org.eclipse.jetty-jetty-security-9.4.53.v20231009.jar [22]
-- lib/org.eclipse.jetty-jetty-server-9.4.53.v20231009.jar [22]
-- lib/org.eclipse.jetty-jetty-servlet-9.4.53.v20231009.jar [22]
-- lib/org.eclipse.jetty-jetty-util-9.4.53.v20231009.jar [22]
-- lib/org.eclipse.jetty-jetty-util-ajax-9.4.53.v20231009.jar [22]
-- lib/org.rocksdb-rocksdbjni-7.9.2.jar [23]
+- lib/org.eclipse.jetty-jetty-http-9.4.57.v20241219.jar [22]
+- lib/org.eclipse.jetty-jetty-io-9.4.57.v20241219.jar [22]
+- lib/org.eclipse.jetty-jetty-security-9.4.57.v20241219.jar [22]
+- lib/org.eclipse.jetty-jetty-server-9.4.57.v20241219.jar [22]
+- lib/org.eclipse.jetty-jetty-servlet-9.4.57.v20241219.jar [22]
+- lib/org.eclipse.jetty-jetty-util-9.4.57.v20241219.jar [22]
+- lib/org.eclipse.jetty-jetty-util-ajax-9.4.57.v20241219.jar [22]
+- lib/org.rocksdb-rocksdbjni-9.9.3.jar [23]
 - lib/com.beust-jcommander-1.82.jar [24]
 - lib/com.yahoo.datasketches-memory-0.8.3.jar [25]
 - lib/com.yahoo.datasketches-sketches-core-0.8.3.jar [25]
diff --git a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
@@ -264,14 +264,14 @@ Apache Software License, Version 2.
 - lib/org.apache.zookeeper-zookeeper-3.9.3.jar [21]
 - lib/org.apache.zookeeper-zookeeper-jute-3.9.3.jar [21]
 - lib/org.apache.zookeeper-zookeeper-3.9.3-tests.jar [21]
-- lib/org.eclipse.jetty-jetty-http-9.4.53.v20231009.jar [22]
-- lib/org.eclipse.jetty-jetty-io-9.4.53.v20231009.jar [22]
-- lib/org.eclipse.jetty-jetty-security-9.4.53.v20231009.jar [22]
-- lib/org.eclipse.jetty-jetty-server-9.4.53.v20231009.jar [22]
-- lib/org.eclipse.jetty-jetty-servlet-9.4.53.v20231009.jar [22]
-- lib/org.eclipse.jetty-jetty-util-9.4.53.v20231009.jar [22]
-- lib/org.eclipse.jetty-jetty-util-ajax-9.4.53.v20231009.jar [22]
-- lib/org.rocksdb-rocksdbjni-7.9.2.jar [23]
+- lib/org.eclipse.jetty-jetty-http-9.4.57.v20241219.jar [22]
+- lib/org.eclipse.jetty-jetty-io-9.4.57.v20241219.jar [22]
+- lib/org.eclipse.jetty-jetty-security-9.4.57.v20241219.jar [22]
+- lib/org.eclipse.jetty-jetty-server-9.4.57.v20241219.jar [22]
+- lib/org.eclipse.jetty-jetty-servlet-9.4.57.v20241219.jar [22]
+- lib/org.eclipse.jetty-jetty-util-9.4.57.v20241219.jar [22]
+- lib/org.eclipse.jetty-jetty-util-ajax-9.4.57.v20241219.jar [22]
+- lib/org.rocksdb-rocksdbjni-9.9.3.jar [23]
 - lib/com.beust-jcommander-1.82.jar [24]
 - lib/com.yahoo.datasketches-memory-0.8.3.jar [25]
 - lib/com.yahoo.datasketches-sketches-core-0.8.3.jar [25]
diff --git a/bookkeeper-dist/src/main/resources/NOTICE-all.bin.txt b/bookkeeper-dist/src/main/resources/NOTICE-all.bin.txt
@@ -93,13 +93,13 @@ SoundCloud Ltd. (http://soundcloud.com/).
 This product includes software developed as part of the
 Ocelli project by Netflix Inc. (https://github.com/Netflix/ocelli/).
 ------------------------------------------------------------------------------------
-- lib/org.eclipse.jetty-jetty-http-9.4.53.v20231009.jar
-- lib/org.eclipse.jetty-jetty-io-9.4.53.v20231009.jar
-- lib/org.eclipse.jetty-jetty-security-9.4.53.v20231009.jar
-- lib/org.eclipse.jetty-jetty-server-9.4.53.v20231009.jar
-- lib/org.eclipse.jetty-jetty-servlet-9.4.53.v20231009.jar
-- lib/org.eclipse.jetty-jetty-util-9.4.53.v20231009.jar
-- lib/org.eclipse.jetty-jetty-util-ajax-9.4.53.v20231009.jar
+- lib/org.eclipse.jetty-jetty-http-9.4.57.v20241219.jar
+- lib/org.eclipse.jetty-jetty-io-9.4.57.v20241219.jar
+- lib/org.eclipse.jetty-jetty-security-9.4.57.v20241219.jar
+- lib/org.eclipse.jetty-jetty-server-9.4.57.v20241219.jar
+- lib/org.eclipse.jetty-jetty-servlet-9.4.57.v20241219.jar
+- lib/org.eclipse.jetty-jetty-util-9.4.57.v20241219.jar
+- lib/org.eclipse.jetty-jetty-util-ajax-9.4.57.v20241219.jar
 
 ==============================================================
  Jetty Web Container
@@ -121,7 +121,7 @@ Jetty is dual licensed under both
 
 Jetty may be distributed under either license.
 
-lib/org.eclipse.jetty-jetty-util-9.4.53.v20231009.jar bundles UnixCrypt
+lib/org.eclipse.jetty-jetty-util-9.4.57.v20241219.jar bundles UnixCrypt
 
 The UnixCrypt.java code implements the one way cryptography used by
 Unix systems for simple password protection.  Copyright 1996 Aki Yoshida,
diff --git a/bookkeeper-dist/src/main/resources/NOTICE-server.bin.txt b/bookkeeper-dist/src/main/resources/NOTICE-server.bin.txt
@@ -75,13 +75,13 @@ SoundCloud Ltd. (http://soundcloud.com/).
 This product includes software developed as part of the
 Ocelli project by Netflix Inc. (https://github.com/Netflix/ocelli/).
 ------------------------------------------------------------------------------------
-- lib/org.eclipse.jetty-jetty-http-9.4.53.v20231009.jar
-- lib/org.eclipse.jetty-jetty-io-9.4.53.v20231009.jar
-- lib/org.eclipse.jetty-jetty-security-9.4.53.v20231009.jar
-- lib/org.eclipse.jetty-jetty-server-9.4.53.v20231009.jar
-- lib/org.eclipse.jetty-jetty-servlet-9.4.53.v20231009.jar
-- lib/org.eclipse.jetty-jetty-util-9.4.53.v20231009.jar
-- lib/org.eclipse.jetty-jetty-util-ajax-9.4.53.v20231009.jar
+- lib/org.eclipse.jetty-jetty-http-9.4.57.v20241219.jar
+- lib/org.eclipse.jetty-jetty-io-9.4.57.v20241219.jar
+- lib/org.eclipse.jetty-jetty-security-9.4.57.v20241219.jar
+- lib/org.eclipse.jetty-jetty-server-9.4.57.v20241219.jar
+- lib/org.eclipse.jetty-jetty-servlet-9.4.57.v20241219.jar
+- lib/org.eclipse.jetty-jetty-util-9.4.57.v20241219.jar
+- lib/org.eclipse.jetty-jetty-util-ajax-9.4.57.v20241219.jar
 
 ==============================================================
  Jetty Web Container
@@ -103,7 +103,7 @@ Jetty is dual licensed under both
 
 Jetty may be distributed under either license.
 
-lib/org.eclipse.jetty-jetty-util-9.4.53.v20231009.jar bundles UnixCrypt
+lib/org.eclipse.jetty-jetty-util-9.4.57.v20241219.jar bundles UnixCrypt
 
 The UnixCrypt.java code implements the one way cryptography used by
 Unix systems for simple password protection.  Copyright 1996 Aki Yoshida,
diff --git a/pom.xml b/pom.xml
@@ -140,7 +140,7 @@
     <hdrhistogram.version>2.1.10</hdrhistogram.version>
     <jackson.version>2.17.1</jackson.version>
     <jcommander.version>1.82</jcommander.version>
-    <jetty.version>9.4.53.v20231009</jetty.version>
+    <jetty.version>9.4.57.v20241219</jetty.version>
     <jmh.version>1.37</jmh.version>
     <jmock.version>2.8.2</jmock.version>
     <jsoup.version>1.14.3</jsoup.version>
