Hi, ZOOKEEPER-4876 <https://issues.apache.org/jira/browse/ZOOKEEPER-4876> ticket was closed without actually addressing CVE-2024-6763 vulnerability because, at the time, there was not a jetty-http-9.4 release where the security patch was included.
This situation has changed. Although they didn't publish a release note for it, Jetty maintainers have published artifacts for jetty 9.4.57 by which this CVE is addressed. It'd be great if we could bump Jetty version in ZK to add them and actually remediate the issue. For that I've opened https://github.com/apache/zookeeper/pull/2220 Do you need a new Jira ticket to track it? If you decide to merge, when could we expect a ZK release including that patch? Thank you.
