search

apache / pulsar

Apache Pulsar - distributed pub-sub messaging system
https://pulsar.apache.org/
Apache License 2.0
13.94k stars 3.53k forks source link

Jetty Upgrade: 12.x.x or latest #22939

Open devendrasr opened 1 week ago

devendrasr commented 1 week ago

Search before asking

Motivation

Team,

The version of jetty being used is somewhere around 9.x.x. This one is vulnerable and getting outdated. We need to migrate closer to 12.x.x. Any plans or approach would be highly appreciated.

Solution

No response

Alternatives

No response

Anything else?

No response

Are you willing to submit a PR?

lhotari commented 1 week ago

I agree that we need to migrate to Jetty 12. There's a dev mailing list thread about this, https://lists.apache.org/thread/d7dqy4w9x1dyrcdrymoypv3v3p7bncxx .

I have already put a lot of time in this, but it's a lot of work to complete the migration. I have everything compiling, but there are some test failures. The WIP branch is here: https://github.com/lhotari/pulsar/pull/190/files .

The version of jetty being used is somewhere around 9.x.x. This one is vulnerable and getting outdated.

We use 9.4.54.v20240208 in Pulsar. I'm not aware of medium or high severity vulnerabilities in this version. The main issue is that it isn't maintained, that's explained in the email thread, https://lists.apache.org/thread/d7dqy4w9x1dyrcdrymoypv3v3p7bncxx.

devendrasr commented 1 week ago

Thanks for all the context. Let me go through provided information.

devendrasr commented 1 week ago

Looks like a lot of work has already been accomplished. I will be waiting for the pull request to be merged - https://github.com/lhotari/pulsar/pull/190

lhotari commented 1 week ago

Looks like a lot of work has already been accomplished. I will be waiting for the pull request to be merged - https://github.com/lhotari/pulsar/pull/190

It's going to take some time since there are blockers. One of them is with Bookkeeper. We will need to upgrade Jetty in Bookkeeper before Pulsar since Pulsar puts all libraries in the same classpath. Pulsar's distribution also includes Bookkeeper.

Hopefully we could accomplish this before Pulsar 4.0 in October.

lhotari commented 1 week ago

Bookkeeper mailing list discussion: https://lists.apache.org/thread/jkgnr9tt947fzshpoojn0r8n2pnr0h3f

lhotari commented 1 week ago

PR to upgrade Jetty 12 in Bookkeeper: https://github.com/apache/bookkeeper/pull/4447