Skip to content

Upgrade jetty to 12.0.12 #2307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Upgrade jetty to 12.0.12 #2307

wants to merge 1 commit into from

Conversation

JvD-Ericsson
Copy link
Contributor

Summary

  1. Why: To remove CVEs:

  2. What: Upgrade jetty to 12.0.12 to remove CVE-2024-13009 and CVE-2024-6763

  • security/CVE

Jetty 12 only works with Java 17+ so, this change will not work with the Java 11

@JvD-Ericsson JvD-Ericsson mentioned this pull request Sep 17, 2025
Open
1 task
kyguy
kyguy reviewed Sep 17, 2025
View reviewed changes
Copy link
Contributor

@kyguy kyguy left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @JvD-Ericsson, thanks for putting this together! It's a shame that CVE-2024-6763 wasn't patched for Jetty versions < v12.0.11 (and that Jetty versions 12 and above require Java 17+).

Although the Cruise Control codebase doesn't use the affected HttpURI class directly, the implementations of the methods that Cruise Control does use are affected. Since Cruise Control relies on Jetty pretty heavily and the Jetty versions < v12 are out of support, we should consider dropping support for Java 11 in favor of Java 17 so we can move the Cruise Control codebase to a supported version of Jetty.

We should leave this PR open and create a separate issue/PR to discuss dropping support for Java 11 for Cruise Control. After that is sorted, we can revisit addressing CVE-2024-6763.

@JvD-Ericsson JvD-Ericsson mentioned this pull request Sep 19, 2025
Merged
1 task
@JvD-Ericsson
Copy link
Contributor Author

Thanks for the detailed context! That makes sense I’ll leave this PR open for now. I also created a PR for removing support for Java 11 #2308. If there’s consensus on dropping Java 11 support, I can update this PR accordingly. Thanks @kyguy

@JvD-Ericsson
Upgrade Jetty to 12.0.12
765d76e 
1. Why:
To remove CVEs:
	- CVE-2024-6763
	- CVE-2024-13009

2. What:
Upgrade jetty to 12.0.12 to remove CVE-2024-13009 and CVE-2024-6763,

- [x] security/CVE

Signed-off-by: JvD_Ericsson <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
1 more reviewer

@kyguy kyguy kyguy left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@JvD-Ericsson @kyguy