Open devendrasr opened 1 week ago
I agree that we need to migrate to Jetty 12. There's a dev mailing list thread about this, https://lists.apache.org/thread/d7dqy4w9x1dyrcdrymoypv3v3p7bncxx .
I have already put a lot of time in this, but it's a lot of work to complete the migration. I have everything compiling, but there are some test failures. The WIP branch is here: https://github.com/lhotari/pulsar/pull/190/files .
The version of jetty being used is somewhere around 9.x.x. This one is vulnerable and getting outdated.
We use 9.4.54.v20240208 in Pulsar. I'm not aware of medium or high severity vulnerabilities in this version. The main issue is that it isn't maintained, that's explained in the email thread, https://lists.apache.org/thread/d7dqy4w9x1dyrcdrymoypv3v3p7bncxx.
Thanks for all the context. Let me go through provided information.
Looks like a lot of work has already been accomplished. I will be waiting for the pull request to be merged - https://github.com/lhotari/pulsar/pull/190
Looks like a lot of work has already been accomplished. I will be waiting for the pull request to be merged - https://github.com/lhotari/pulsar/pull/190
It's going to take some time since there are blockers. One of them is with Bookkeeper. We will need to upgrade Jetty in Bookkeeper before Pulsar since Pulsar puts all libraries in the same classpath. Pulsar's distribution also includes Bookkeeper.
Hopefully we could accomplish this before Pulsar 4.0 in October.
Bookkeeper mailing list discussion: https://lists.apache.org/thread/jkgnr9tt947fzshpoojn0r8n2pnr0h3f
PR to upgrade Jetty 12 in Bookkeeper: https://github.com/apache/bookkeeper/pull/4447
Search before asking
Motivation
Team,
The version of jetty being used is somewhere around 9.x.x. This one is vulnerable and getting outdated. We need to migrate closer to 12.x.x. Any plans or approach would be highly appreciated.
Solution
No response
Alternatives
No response
Anything else?
No response
Are you willing to submit a PR?