Fix: CVE-2024-13009

CHANGELOG.md

@@ -54,6 +54,7 @@ All notable changes to this project will be documented in this file.
 - spark-k8s: Add `3.5.6` ([#1142]).
 - spark-connect-client: Add `3.5.6` ([#1142]).
 - git-sync: Bump version to 4.4.1 ([#1151]).
+- zookeeper: bump jetty version for CVE-2024-13009 in 3.9.3 ([#1179])
 
 ### Changed
 
@@ -190,6 +191,7 @@ All notable changes to this project will be documented in this file.
 [#1165]: https://github.com/stackabletech/docker-images/pull/1165
 [#1168]: https://github.com/stackabletech/docker-images/pull/1168
 [#1170]: https://github.com/stackabletech/docker-images/pull/1170
+[#1179]: https://github.com/stackabletech/docker-images/pull/1179
 
 ## [25.3.0] - 2025-03-21
 

zookeeper/stackable/patches/3.9.3/0001-Add-CycloneDX-plugin.patch

@@ -8,7 +8,7 @@ Subject: Add CycloneDX plugin
  1 file changed, 6 insertions(+), 1 deletion(-)
 
 diff --git a/pom.xml b/pom.xml
-index 6ef4011fe..07ae75387 100644
+index 6ef4011f..07ae7538 100644
 --- a/pom.xml
 +++ b/pom.xml
 @@ -925,7 +925,7 @@

zookeeper/stackable/patches/3.9.3/0002-ZOOKEEPER-4846-Failure-to-reload-database-due-to-mis.patch

@@ -13,7 +13,7 @@ Closes #2222 from anmolnar/ZOOKEEPER-4846
  2 files changed, 19 insertions(+), 2 deletions(-)
 
 diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/server/DataTree.java b/zookeeper-server/src/main/java/org/apache/zookeeper/server/DataTree.java
-index 3b61c80d8..af937f834 100644
+index 3b61c80d..af937f83 100644
 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/server/DataTree.java
 +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/server/DataTree.java
 @@ -462,8 +462,9 @@ public class DataTree {
@@ -29,7 +29,7 @@ index 3b61c80d8..af937f834 100644
              }
 
 diff --git a/zookeeper-server/src/test/java/org/apache/zookeeper/server/DataTreeTest.java b/zookeeper-server/src/test/java/org/apache/zookeeper/server/DataTreeTest.java
-index 07a69f14f..fc20ed320 100644
+index 07a69f14..fc20ed32 100644
 --- a/zookeeper-server/src/test/java/org/apache/zookeeper/server/DataTreeTest.java
 +++ b/zookeeper-server/src/test/java/org/apache/zookeeper/server/DataTreeTest.java
 @@ -23,6 +23,7 @@ import static org.junit.jupiter.api.Assertions.assertFalse;

zookeeper/stackable/patches/3.9.3/0003-ZOOKEEPER-4921-Retry-endlessly-to-establish-a-brand-.patch

@@ -15,7 +15,7 @@ https://lists.apache.org/thread/nfb9z7rhgglbjzfxvg4z2m3pks53b3c1
  2 files changed, 47 insertions(+), 20 deletions(-)
 
 diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/ClientCnxn.java b/zookeeper-server/src/main/java/org/apache/zookeeper/ClientCnxn.java
-index 0bf616c61..207bb8c49 100644
+index 0bf616c6..207bb8c4 100644
 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/ClientCnxn.java
 +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/ClientCnxn.java
 @@ -1242,7 +1242,7 @@ public class ClientCnxn {
@@ -28,7 +28,7 @@ index 0bf616c61..207bb8c49 100644
                          String warnInfo = String.format(
                              "Client session timed out, have not heard from server in %dms for session id 0x%s",
 diff --git a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SessionTimeoutTest.java b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SessionTimeoutTest.java
-index 7a59f5eb9..9f5943f68 100644
+index 7a59f5eb..9f5943f6 100644
 --- a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SessionTimeoutTest.java
 +++ b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SessionTimeoutTest.java
 @@ -18,6 +18,9 @@

zookeeper/stackable/patches/3.9.3/0004-ZOOKEEPER-4925-Fix-data-loss-due-to-propagation-of-d.patch

@@ -45,7 +45,7 @@ Add separated code to enforce continuous proposals
  create mode 100644 zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/QuorumSyncTest.java
 
 diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/server/Request.java b/zookeeper-server/src/main/java/org/apache/zookeeper/server/Request.java
-index c174fdd1e..ad5071375 100644
+index c174fdd1..ad507137 100644
 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/server/Request.java
 +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/server/Request.java
 @@ -78,6 +78,19 @@ public class Request {
@@ -69,7 +69,7 @@ index c174fdd1e..ad5071375 100644
 
      public final int cxid;
 diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/server/TxnLogEntry.java b/zookeeper-server/src/main/java/org/apache/zookeeper/server/TxnLogEntry.java
-index 352eb81da..409fd21fa 100644
+index 352eb81d..409fd21f 100644
 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/server/TxnLogEntry.java
 +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/server/TxnLogEntry.java
 @@ -47,4 +47,8 @@ public final class TxnLogEntry {
@@ -82,7 +82,7 @@ index 352eb81da..409fd21fa 100644
 +    }
  }
 diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/server/ZKDatabase.java b/zookeeper-server/src/main/java/org/apache/zookeeper/server/ZKDatabase.java
-index 7258daa7c..7a26d8362 100644
+index 7258daa7..7a26d836 100644
 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/server/ZKDatabase.java
 +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/server/ZKDatabase.java
 @@ -58,6 +58,7 @@ import org.apache.zookeeper.server.quorum.Leader.Proposal;
@@ -156,7 +156,7 @@ index 7258daa7c..7a26d8362 100644
              wl.unlock();
          }
 diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/server/ZooKeeperServer.java b/zookeeper-server/src/main/java/org/apache/zookeeper/server/ZooKeeperServer.java
-index 6740f6d52..14dd59b8c 100644
+index 6740f6d5..14dd59b8 100644
 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/server/ZooKeeperServer.java
 +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/server/ZooKeeperServer.java
 @@ -1846,13 +1846,6 @@ public class ZooKeeperServer implements SessionExpirer, ServerStats.Provider {
@@ -205,7 +205,7 @@ index 6740f6d52..14dd59b8c 100644
 
      private void processTxnForSessionEvents(Request request, TxnHeader hdr, Record txn) {
 diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/Follower.java b/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/Follower.java
-index 0eff9d248..ca99974cb 100644
+index 0eff9d24..ca99974c 100644
 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/Follower.java
 +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/Follower.java
 @@ -35,7 +35,6 @@ import org.apache.zookeeper.server.quorum.flexible.QuorumVerifier;
@@ -234,7 +234,7 @@ index 0eff9d248..ca99974cb 100644
                  /*
                   * Request header is created only by the leader, so this is only set
 diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/FollowerZooKeeperServer.java b/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/FollowerZooKeeperServer.java
-index b67661999..1b0b5cd92 100644
+index b6766199..1b0b5cd9 100644
 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/FollowerZooKeeperServer.java
 +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/FollowerZooKeeperServer.java
 @@ -22,7 +22,6 @@ import java.io.IOException;
@@ -303,7 +303,7 @@ index b67661999..1b0b5cd92 100644
 -    }
  }
 diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/Learner.java b/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/Learner.java
-index 1ef99e50a..adf0ef6e5 100644
+index 1ef99e50..adf0ef6e 100644
 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/Learner.java
 +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/Learner.java
 @@ -82,6 +82,10 @@ public class Learner {
@@ -431,7 +431,7 @@ index 1ef99e50a..adf0ef6e5 100644
              }
          } else {
 diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/Observer.java b/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/Observer.java
-index d3aa41b5f..334fa54c1 100644
+index d3aa41b5..334fa54c 100644
 --- a/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/Observer.java
 +++ b/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/Observer.java
 @@ -202,12 +202,8 @@ public class Observer extends Learner {
@@ -464,7 +464,7 @@ index d3aa41b5f..334fa54c1 100644
 
              boolean majorChange = self.processReconfig(qv, suggestedLeaderId, qp.getZxid(), true);
 diff --git a/zookeeper-server/src/test/java/org/apache/zookeeper/server/TxnLogDigestTest.java b/zookeeper-server/src/test/java/org/apache/zookeeper/server/TxnLogDigestTest.java
-index 75d6fe680..b52ea3418 100644
+index 75d6fe68..b52ea341 100644
 --- a/zookeeper-server/src/test/java/org/apache/zookeeper/server/TxnLogDigestTest.java
 +++ b/zookeeper-server/src/test/java/org/apache/zookeeper/server/TxnLogDigestTest.java
 @@ -60,6 +60,7 @@ public class TxnLogDigestTest extends ClientBase {
@@ -484,7 +484,7 @@ index 75d6fe680..b52ea3418 100644
          super.tearDown();
 
 diff --git a/zookeeper-server/src/test/java/org/apache/zookeeper/server/ZxidRolloverTest.java b/zookeeper-server/src/test/java/org/apache/zookeeper/server/ZxidRolloverTest.java
-index 031ccc2f7..b23fd80a3 100644
+index 031ccc2f..b23fd80a 100644
 --- a/zookeeper-server/src/test/java/org/apache/zookeeper/server/ZxidRolloverTest.java
 +++ b/zookeeper-server/src/test/java/org/apache/zookeeper/server/ZxidRolloverTest.java
 @@ -60,6 +60,7 @@ public class ZxidRolloverTest extends ZKTestCase {
@@ -505,7 +505,7 @@ index 031ccc2f7..b23fd80a3 100644
              zkClients[i].close();
 diff --git a/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/QuorumSyncTest.java b/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/QuorumSyncTest.java
 new file mode 100644
-index 000000000..c4b7720cf
+index 00000000..c4b7720c
 --- /dev/null
 +++ b/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/QuorumSyncTest.java
 @@ -0,0 +1,100 @@

zookeeper/stackable/patches/3.9.3/0005-Bumping-jetty-version-to-fix-CVE-2024-13009.patch

@@ -0,0 +1,22 @@
+From d5ec0e10f1e2c967cd1bbc9aaeacc4f83705f1bf Mon Sep 17 00:00:00 2001
+From: Maxi Wittich <[email protected]>
+Date: Tue, 17 Jun 2025 15:39:44 +0200
+Subject: Bumping jetty version to fix CVE-2024-13009
+
+---
+ pom.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pom.xml b/pom.xml
+index 07ae7538..9c201245 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -560,7 +560,7 @@
+     <hamcrest.version>2.2</hamcrest.version>
+     <commons-cli.version>1.5.0</commons-cli.version>
+     <netty.version>4.1.113.Final</netty.version>
+-    <jetty.version>9.4.56.v20240826</jetty.version>
++    <jetty.version>9.4.57.v20241219</jetty.version>
+     <jackson.version>2.15.2</jackson.version>
+     <jline.version>2.14.6</jline.version>
+     <snappy.version>1.1.10.5</snappy.version>