[
https://issues.apache.org/jira/browse/ZOOKEEPER-5038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18082428#comment-18082428
]
Jose Angel Riarola commented on ZOOKEEPER-5038:
-----------------------------------------------
I gave it a try at that plan [~lhotari] to decouple the admin server from the
rest: [https://github.com/apache/zookeeper/pull/2395]
I tried keeping it as small as possible.
This is technically a breaking change for users that rely on the admin server
and still run on java 8, therefore we might need a major version if that's the
policy. At the very least it should be in the release notes.
I expanded the warning that should pop up if adminserver fails
NoClassDefFoundError to indicate that Java 17+ is now required
> Upgrade Jetty to address CVE-2026-2332
> --------------------------------------
>
> Key: ZOOKEEPER-5038
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-5038
> Project: ZooKeeper
> Issue Type: Task
> Components: server
> Affects Versions: 3.9.5, 3.8.6
> Reporter: Jota Martos
> Assignee: Dávid Paksy
> Priority: Major
> Labels: pull-request-available
> Time Spent: 1h
> Remaining Estimate: 0h
>
> Jetty versions lower than 9.4.60 are affected by this CVE.
> bq. Jetty incorrectly parses quoted strings in HTTP/1.1 chunked transfer
> encoding extension values, enabling request smuggling attacks.
> You can find more information in the [security
> advisory|https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf].
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
