There is a CVE in libthrift https://nvd.nist.gov/vuln/detail/CVE-2026-43869
which is fixed in 0.23.0. While trying to upgrade it in HBASE-30182, I found that libthrift has already moved up to jakarta servlet api, instead of javax servlet api, which makes it impossible to support java 8. We can move up to jakarta servlet api on master and branch-3 since we only need to support java 17 there, and we already have a shaded jetty 11 in hbase-thirdparty I believe? But how to deal with branch-2.x? Any suggestions? Thanks.
