Jetty Releases 9.4.57 #12630
Comments
|
Hi, I'm a PMC member of Apache IoTDB in which we have a dependency on jetty 9.4.56. |
|
@JackieTien97, this has been delayed. You should better understand that 9.x versions have been EoCS (End of Community Support) #7958 for more than two years now. |
|
ok... thx |
|
@olamy Could you please update the targeted date for this? |
|
@tarunkalra7 the target date is unspecified for any open source release of 9.4.x |
|
@tarunkalra7 you should be using a supported version of Jetty at this point in time. Note: if you need to stick with |
|
Hi, is jetty 9.4.57 available? I see this version is already in the maven repo. https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-server/9.4.57.v20241219/ |
|
Seems to be released. Also, I can see a release tag here https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.57.v20241219
|
|
@olamy @joakime I can see CVE-2024-6763 against the 9.4.57 version as well. Could you please confirm? |
|
If you look at commit history you will see this one dd2c253 |
|
@HTHou @tarunkalra7 Jetty 9.x is no longer supported. You should be using a supported version of Jetty now. |
|
The main reason we still use Jetty 9 is the Java 8 support. Once we decide to change the requirement of the JDK runtime version to 17, we will migrate to Jetty 12. |
|
@olamy Is there any possibility to update this as well - GHSA-qh8g-58pp-2wxh to include the patched version on 9.x branch |
|
@tarunkalra7 Jetty 9 is no longer to be used, it is no longer supported, that includes CVEs. Note that CVE is not ready to be updated. |
|
Closing this as completed |
github-project-automation
bot
moved this from 🏗 In progress
to ✅ Done
in Jetty 9.4.57 (FROZEN)
Which other factors? |
I really appreciate the effort that the Jetty maintainers have gone through to ensure that CVE-2024-6763 is squashed in this deprecated version of Jetty and that an official 9.4 release has been cut and made available. Thank you. Can I kindly ask what the issue is with updating the CVE's Definition to state that jetty-9.4.57.v20241219 is not vulnerable? Until this is done vulnerability scanners will falsely report this issue as being live in this version when we know that it is not. I understand that 9.4 is officially unsupported, and has been for some time, and that you do not want to encourage further use of this version, and I think most folks that are on 9.4 these days are aware of the need to upgrade. However, given the supported path now is to get onto 12 (as 10 and 11 are also EOL) the upgrade process isn't so straightforward for some users, given how widely used 9.4 was in many other - currently shipping - products and frameworks. It sure would be great to have this CVE disappear from dashboards and reports while folks work on that upgrade path. Thanks again. |
Jetty Versions:
This release process will produce releases: 9.4.57
Target Date:
Unspecified. Branch 9.4.x is now at End of Open Source/Community Support.
Tasks:
Such updates should only be included in the week before a release if there is a compelling security or stability reason to do so.
release/<ver>to perform version specific release work from.git fetch --tags(as we potentially rewrite tag when re staging local tag can be out of sync and this command will fail and so fail the release script)VERSION.txtadditions for each release will be meaningful, descriptive, correct text.release/<ver>to to https://github.com/jetty/jetty.projectjetty-<ver>to https://github.com/jetty/jetty.projectVERSION.txtto include any actual CVE number next to correspondent issue.The text was updated successfully, but these errors were encountered: