[
https://issues.apache.org/jira/browse/RANGER-5608?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18085796#comment-18085796
]
Velmurugan Periasamy edited comment on RANGER-5608 at 6/4/26 3:28 PM:
----------------------------------------------------------------------
Hi [~madhan]
Based on the Jetty dependency analysis, upgrading Ranger directly from Jetty
9.4.x to Jetty 12.x would require careful coordination with multiple upstream
components that currently introduce Jetty 9.4 dependencies transitively.
The dependency tree shows that a significant number of Ranger modules inherit
Jetty artifacts through external components such as Hadoop Common, Solr/SolrJ,
Hive, Knox, Schema Registry, and other platform dependencies. Several of these
dependencies are currently tied to Jetty 9.4.x versions (ranging from 9.4.18
through 9.4.57), and some modules rely on a broad set of Jetty server, servlet,
webapp, security, and ALPN-related artifacts.
Given the substantial architectural and API changes introduced in Jetty 12, a
direct upgrade within Ranger may lead to compatibility issues unless the
dependent upstream components first provide support for Jetty 12. As a result,
the Jetty upgrade effort should be evaluated in conjunction with the upgrade
roadmap of these dependencies to ensure alignment and avoid introducing
dependency conflicts.
Based on the current dependency landscape, it would be advisable to first
identify and upgrade the dependent components that continue to bring in Jetty
9.4.x artifacts. Once those dependencies have moved to versions that support
Jetty 12, Ranger's Jetty upgrade can be assessed and executed with
significantly lower risk.
CC [~pradeep] , [~dhavalshah9131]
was (Author: JIRAUSER298659):
Hi [~madhan]
Based on the Jetty dependency analysis, upgrading Ranger directly from Jetty
9.4.x to Jetty 12.x would require careful coordination with multiple upstream
components that currently introduce Jetty 9.4 dependencies transitively.
The dependency tree shows that a significant number of Ranger modules inherit
Jetty artifacts through external components such as Hadoop Common, Solr/SolrJ,
Hive, Knox, Schema Registry, and other platform dependencies. Several of these
dependencies are currently tied to Jetty 9.4.x versions (ranging from 9.4.18
through 9.4.57), and some modules rely on a broad set of Jetty server, servlet,
webapp, security, and ALPN-related artifacts.
Given the substantial architectural and API changes introduced in Jetty 12, a
direct upgrade within Ranger may lead to compatibility issues unless the
dependent upstream components first provide support for Jetty 12. As a result,
the Jetty upgrade effort should be evaluated in conjunction with the upgrade
roadmap of these dependencies to ensure alignment and avoid introducing
dependency conflicts.
Based on the current dependency landscape, it would be advisable to first
identify and upgrade the dependent components that continue to bring in Jetty
9.4.x artifacts. Once those dependencies have moved to versions that support
Jetty 12, Ranger's Jetty upgrade can be assessed and executed with
significantly lower risk.
Jetty Dependency sheet -
[https://docs.google.com/spreadsheets/d/1iWv9QJqjeocfV2Pi3sB0hskSK7UXqNUDYoN-8jSh_M4/edit?gid=0#gid=0]
CC [~pradeep] , [~dhavalshah9131]
> Ranger - Migrate to jetty 12.0.12+ due to CVE-2024-6763, CVE-2025-1948
> ----------------------------------------------------------------------
>
> Key: RANGER-5608
> URL: https://issues.apache.org/jira/browse/RANGER-5608
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: Dhaval Shah
> Assignee: Sanket Shelar
> Priority: Major
>
> Migrate to jetty 12.0.12+ due to CVE-2024-6763, CVE-2025-1948
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
