Clarification on CVE-2024-6763 Remediation and jetty-http in Jetty 12.x

[raviteja439]

Hi Jetty Team,

Following up on CVE-2024-6763 flagged in our dependency scans for jetty-http:11.0.25, we understand that:

Jetty 9/10/11 are now EOL.

jetty-http is not published as a standalone artifact in Jetty 12.x.

Could you please clarify:

How is the functionality of jetty-http structured or replaced in Jetty 12.x?

What is the recommended approach for users relying on jetty-http in Jetty 11.x to migrate to Jetty 12.x for continued security compliance and equivalent HTTP handling functionality?

Is there any published guidance or documentation for transitioning from Jetty 11.x + jetty-http to Jetty 12.x?

We want to align our REST Catalog dependencies with a supported Jetty 12.x track while ensuring CVE remediation and compatibility with our use case.

Thank you for your guidance.

Best regards,
Raviteja Lanka,
IBM India.

[joakime]

Correct, Jetty 11 is currently EOL.

• EOL (End of Life) for Jetty 10 / Jetty 11 - January 2025 #10485
• EOL (End of Life) for Jetty 9 - January 2025 #7958

The jetty-http artifacts are on Maven Central, including ones for Jetty 12.x

• https://central.sonatype.com/artifact/org.eclipse.jetty/jetty-http/versions
• https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-http/

As for CVE-2024-6763, the linked to advisory shows that it was fixed in Jetty 12.0.12.

As for documentation for Jetty 12, see

• https://jetty.org/ - main Jetty web page.
• https://jetty.org/docs/ - documentation hub
• https://jetty.org/docs/jetty/12/index.html - Jetty 12 specific documentation
• https://jetty.org/docs/jetty/12/programming-guide/migration/11-to-12.html - Migration from Jetty 11 to Jetty 12.