pfcoperez opened a new pull request, #2220: URL: https://github.com/apache/zookeeper/pull/2220
With https://github.com/apache/zookeeper/pull/2202 one of two CVEs around Jetty dependency were addressed. Unfortunately, at that moment `CVE-2024-6763` was not removed as Jetty maintainers had not published a patch release fixing it (https://issues.apache.org/jira/browse/ZOOKEEPER-4876?focusedCommentId=17890378&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17890378). That patch release is still not officially released according to their release notes but the truth is that maven repository has it: [Central Repository: org/eclipse/jetty/jetty-http/9.4.57.v20241219](https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-http/9.4.57.v20241219/) and it has the backport for the CVE remediation:  This PR bumps Jetty dependency to this patch release thus effectively fixing the second CVE in https://issues.apache.org/jira/browse/ZOOKEEPER-4876 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@zookeeper.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
