Absolutely. That’s actually my original intention for the JDK 17 upgrade. We should definitely upgrade to Jetty 12 once the JDK upgraded landed.
Thanks for the heads-up. Andor > On May 4, 2026, at 05:39, Lari Hotari <[email protected]> wrote: > > Hi all, > > I'd like to raise a point related to the discussion about ZooKeeper's > minimum supported Java version. > > Jetty 9.x is end-of-life and no longer receives OSS security updates. There > are unaddressed CVEs that affect the 9.4.x line: > > - CVE-2026-2332 (High) – HTTP request smuggling via chunked extension > parsing; affects Jetty <= 9.4.59. Fixed in 9.4.60. > - CVE-2025-11143 (Low) – differential URI parsing that can lead to security > bypass; affects Jetty <= 9.4.58. Fixed in 9.4.59. > > The catch is that 9.4.59 and 9.4.60 are only available to customers paying > for commercial support (e.g. Webtide/HeroDevs NES). OSS projects can no > longer obtain security fixes for Jetty 9.x through Maven Central. > > The supported community line is Jetty 12.x, which requires Java 17 as the > baseline. > > In Apache Pulsar, we've had to carry a fairly invasive workaround to > upgrade to Jetty 12.x while still depending on ZooKeeper: we patch / shadow > the relevant Pulsar-side integration classes (the equivalents of > org.apache.zookeeper.server.admin and > org.apache.zookeeper.metrics.prometheus) so Pulsar can run on Jetty 12.x > even though ZooKeeper still pulls in Jetty 9.x. We'd very much like to drop > this hack, but that requires ZooKeeper itself to move off Jetty 9.x. > > Given that Jetty 12.x requires Java 17, raising ZooKeeper's Java baseline > to 17 would unblock the Jetty upgrade and close the CVE exposure for > downstream OSS users at the same time. Would the project consider tying the > Java 17 baseline discussion to a Jetty 12 migration on the same release > line? > > Happy to help with the migration work if there's interest. > > -Lari > > On Thu, 30 Apr 2026 at 02:14, Andor Molnár <[email protected]> wrote: > >> I’m trying to extract the relevant information from the thread for you. >> Previously I wrote something like: >> >> “… we could make a leap and make JDK 17 the minimum runtime and compile >> versions for the master branch. >> >> Once the change is merged to master, we'll backport it to branch-3.9 as >> follows: >> >> * minimum JDK for building: 17 >> * minimum JRE for running: 8 (no change) “ >> >> As far as I know, that’s what we agreed on, but unfortunately, no one has >> been willing to create a PR for it since then. Are you happy to work on it? >> >> Andor >> >> >> >>> On Apr 29, 2026, at 13:12, Andor Molnár <[email protected]> wrote: >>> >>> Hi David, >>> >>> Thank you, your efforts are much appreciated. >>> >>> Yes. At the moment we still support Java 8 on all active branches. >>> There’s only one exception: Owasp build process requires Java 11 to run. >>> >>> There was a bunch of discussions [1] and [2] recently regarding how >> should we >>> upgrade and which JDK versions should we support on our branches. You >> might >>> want to review them before going forward. >>> >>> [1] https://lists.apache.org/thread/42537mr70g3n8srzxg406xlssbcsqr7w >>> [2] https://lists.apache.org/thread/ng8gq261ts5znzt6wb3zgjwqpsoqfftv >>> >>> Regards, >>> Andor >>> >>> >>> >>> >>>> On Apr 29, 2026, at 07:57, Dávid Paksy <[email protected]> wrote: >>>> >>>> Hi ZooKeeper devs, >>>> >>>> I started to work on JDK25 support in ZooKeeper. The compilation works >> fine >>>> but for the tests to work I created ZOOKEEPER-5039 to upgrade Mockito to >>>> 5.23.0. >>>> >>>> I put up #2376 PR and I saw, the GH: Action builds at the moment are >> done >>>> using Java 8 and Java 11. >>>> >>>> Mockito 5.x requires Java 11 or higher. It will not work with Java 8. >>>> Mockito 4.x supported Java 8 but Mockito 4.x does not support Java 25. >>>> >>>> Do we have to support Java 8 on ZooKeeper master branch? I did not found >>>> any documentation regarding this. >>>> >>>> Thanks in advance, >>>> Dávid >>> >> >>
