pulsar icon indicating copy to clipboard operation
pulsar copied to clipboard
verified publisher icon apache

Jetty Upgrade: 12.x.x or latest

Open devendrasr opened this issue 1 year ago • 6 comments

Search before asking

  • [X] I searched in the issues and found nothing similar.

Motivation

Team,

The version of jetty being used is somewhere around 9.x.x. This one is vulnerable and getting outdated. We need to migrate closer to 12.x.x. Any plans or approach would be highly appreciated.

Solution

No response

Alternatives

No response

Anything else?

No response

Are you willing to submit a PR?

  • [X] I'm willing to submit a PR!

devendrasr avatar Jun 19 '24 06:06 devendrasr

I agree that we need to migrate to Jetty 12. There's a dev mailing list thread about this, https://lists.apache.org/thread/d7dqy4w9x1dyrcdrymoypv3v3p7bncxx .

I have already put a lot of time in this, but it's a lot of work to complete the migration. I have everything compiling, but there are some test failures. The WIP branch is here: https://github.com/lhotari/pulsar/pull/190/files .

The version of jetty being used is somewhere around 9.x.x. This one is vulnerable and getting outdated.

We use 9.4.54.v20240208 in Pulsar. I'm not aware of medium or high severity vulnerabilities in this version. The main issue is that it isn't maintained, that's explained in the email thread, https://lists.apache.org/thread/d7dqy4w9x1dyrcdrymoypv3v3p7bncxx.

lhotari avatar Jun 19 '24 07:06 lhotari

Thanks for all the context. Let me go through provided information.

devendrasr avatar Jun 20 '24 03:06 devendrasr

Looks like a lot of work has already been accomplished. I will be waiting for the pull request to be merged - https://github.com/lhotari/pulsar/pull/190

devendrasr avatar Jun 20 '24 04:06 devendrasr

Looks like a lot of work has already been accomplished. I will be waiting for the pull request to be merged - https://github.com/lhotari/pulsar/pull/190

It's going to take some time since there are blockers. One of them is with Bookkeeper. We will need to upgrade Jetty in Bookkeeper before Pulsar since Pulsar puts all libraries in the same classpath. Pulsar's distribution also includes Bookkeeper.

Hopefully we could accomplish this before Pulsar 4.0 in October.

lhotari avatar Jun 20 '24 04:06 lhotari

Bookkeeper mailing list discussion: https://lists.apache.org/thread/jkgnr9tt947fzshpoojn0r8n2pnr0h3f

lhotari avatar Jun 24 '24 11:06 lhotari

PR to upgrade Jetty 12 in Bookkeeper: https://github.com/apache/bookkeeper/pull/4447

lhotari avatar Jun 24 '24 12:06 lhotari

Hopefully we could accomplish this before Pulsar 4.0 in October.

The Jetty 12 upgrade is postponed. Due to the lack of support for switching to Java 17 baseline in BookKeeper, https://github.com/apache/bookkeeper/pull/4447 /cc @dlg99. We'll address that later, possibly for Pulsar 4.1 .

lhotari avatar Oct 07 '24 06:10 lhotari