(zookeeper) branch branch-3.9 updated: ZOOKEEPER-4932: The newest version of zookeeper includes Jetty versiob 9.4.57.x which has CVE-2024-6763 issue

Fri, 01 Aug 2025 14:36:13 -0700 

This is an automated email from the ASF dual-hosted git repository.

andor pushed a commit to branch branch-3.9
in repository https://gitbox.apache.org/repos/asf/zookeeper.git


The following commit(s) were added to refs/heads/branch-3.9 by this push:
     new 3b9d1ce53 ZOOKEEPER-4932: The newest version of zookeeper includes 
Jetty versiob 9.4.57.x which has CVE-2024-6763 issue
3b9d1ce53 is described below

commit 3b9d1ce5382eaef629e3d32c479078ef090479b2
Author: Andor Molnár <an...@apache.org>
AuthorDate: Fri Aug 1 16:35:51 2025 -0500

    ZOOKEEPER-4932: The newest version of zookeeper includes Jetty versiob 
9.4.57.x which has CVE-2024-6763 issue
    
    ZOOKEEPER-4932: Put back accidentally removed owasp suppression
    Update owaspSuppressions.xml
    Co-authored-by: Kezhu Wang <kez...@gmail.com>
    Reviewers: kezhuw
    Author: anmolnar
    Closes #2288 from anmolnar/ZOOKEEPER-4932
    
    (cherry picked from commit 06b418b62d281c2259dee3eccb9885393532a204)
    Signed-off-by: Andor Molnar <an...@cloudera.com>
---
 owaspSuppressions.xml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/owaspSuppressions.xml b/owaspSuppressions.xml
index a74a781a4..0074f735c 100644
--- a/owaspSuppressions.xml
+++ b/owaspSuppressions.xml
@@ -18,6 +18,23 @@
 -->
 
 <suppressions 
xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.2.xsd";>
+   <suppress>
+      <!--
+         We have updated jetty[1] to 9.4.57.v20241219[2] which includes a 
fix[3] for CVE-2024-6763[4].
+         But it is not listed as fixed version since 9.x is EOL[5]. So we 
still have to suppress this
+         to pass vulnerabilities check. Besides above, ZooKeeper does not use 
HttpURI[6] thus should
+         not be affected by this CVE anyway.
+
+         Refs:
+         [1]: https://github.com/apache/zookeeper/pull/2220
+         [2]: 
https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.57.v20241219
+         [3]: https://github.com/jetty/jetty.project/pull/12532
+         [4]: https://github.com/advisories/GHSA-qh8g-58pp-2wxh
+         [5]: 
https://gitlab.eclipse.org/security/cve-assignement/-/issues/25#note_2968611
+         [6]: https://issues.apache.org/jira/browse/ZOOKEEPER-4876
+      -->
+      <cve>CVE-2024-6763</cve>
+   </suppress>
    <suppress>
       <!-- ZOOKEEPER-3217 -->
       <cve>CVE-2018-8088</cve>

Reply via email to