You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "John Stacy (Jira)" <ji...@apache.org> on 2021/03/01 23:49:00 UTC

[jira] [Commented] (KAFKA-12359) Update Jetty to 11

    [ https://issues.apache.org/jira/browse/KAFKA-12359?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17293247#comment-17293247 ] 

John Stacy commented on KAFKA-12359:
------------------------------------

Due to this vulnerability, you might want to bump to 11.0.1: https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7

> Update Jetty to 11
> ------------------
>
>                 Key: KAFKA-12359
>                 URL: https://issues.apache.org/jira/browse/KAFKA-12359
>             Project: Kafka
>          Issue Type: Improvement
>          Components: KafkaConnect, tools
>            Reporter: Dongjin Lee
>            Assignee: Dongjin Lee
>            Priority: Major
>
> I found this problem when I was working on [KAFKA-12324|https://issues.apache.org/jira/browse/KAFKA-12324].
> As of present, Kafka Connect and Trogdor are using Jetty 9. Although Jetty's stable release is 9.4, the Jetty community is now moving their focus to Jetty 10 and 11, which requires Java 11 as a prerequisite. To minimize potential security vulnerability, Kafka should migrate into Java 11 + Jetty 11 as soon as Jetty 9.4 reaches the end of life. As a note, [Jetty 9.2 reached End of Life in March 2018|https://www.eclipse.org/lists/jetty-announce/msg00116.html], and 9.3 also did in [February 2020|https://www.eclipse.org/lists/jetty-announce/msg00140.html].
> In other words, the necessity of moving to Java 11 is heavily affected by Jetty's maintenance plan. Jetty 9.4 seems like still be supported for a certain period of time, but it is worth being aware of these relationships and having a migration plan.
> Updating Jetty to 11 is not resolved by simply changing the version. Along with its API changes, we have to cope with additional dependencies, [Java EE class name changes|https://webtide.com/renaming-from-javax-to-jakarta/], Making Jackson to compatible with the changes, etc.
> As a note: for the difference between Jetty 10 and 11, see [here|https://webtide.com/jetty-10-and-11-have-arrived/] - in short, "Jetty 11 is identical to Jetty 10 except that the javax.* packages now conform to the new jakarta.* namespace.".



--
This message was sent by Atlassian Jira
(v8.3.4#803005)