[fix][sec] Upgrade Jetty to 9.4.57.v20241219 to mitigate CVE-2024-6763

[lhotari]

Fixes #24114

Motivation & Modifications

Upgrade Jetty to 9.4.57.v20241219 to address CVE-2024-6763
Jetty 9.4.57.v20241219 contains backported CVE-2024-6763 fix in jetty/jetty.project#12532 although it's not explicitly mentioned and most security scanners don't yet contain the information that it's been addressed in 9.4.57.
More details:

• Jetty Releases 9.4.57 jetty/jetty.project#12630
• https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.57.v20241219

Note: The backport is a partial mitigation and Jetty 9.4.57 will continue to be marked as vulnerable. There's a discussion and explanation here: https://gitlab.eclipse.org/security/cve-assignement/-/issues/25#note_2968611

Documentation

• doc
• doc-required
• doc-not-needed
• doc-complete

[wangchao316]

hello , I am a new developer for pulsar, our product start to use pulsar, which replace kafka in serverless env. I can learn your pr. our other product has upgraded jetty to 9.4.57.v20241219. this pr is good.

[wangchao316]

LGTM

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 74.19%. Comparing base (bbc6224) to head (d12d6ee).
Report is 1057 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff              @@
##             master   #24232      +/-   ##
============================================
+ Coverage     73.57%   74.19%   +0.62%     
+ Complexity    32624    32557      -67     
============================================
  Files          1877     1866      -11     
  Lines        139502   144900    +5398     
  Branches      15299    16549    +1250     
============================================
+ Hits         102638   107515    +4877     
+ Misses        28908    28871      -37     
- Partials       7956     8514     +558     

Flag	Coverage Δ
inttests	26.86% <ø> (+2.28%)	⬆️
systests	23.30% <ø> (-1.03%)	⬇️
unittests	73.67% <ø> (+0.83%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 1079 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[lhotari]

Addresses CVE-2024-13009 too.

[joakime]

Jetty 9.4.57.v20241219 contains backported CVE-2024-6763 fix in jetty/jetty.project#12532 although it's not explicitly mentioned and most security scanners don't yet contain the information that it's been addressed in 9.4.57.

This is intentional, this is the "Unsupported when Assigned" behavior (a CVE thing), as Jetty 9 is EOL (End of Life)

• EOL (End of Life) for Jetty 9 - January 2025 jetty/jetty.project#7958
• EOL (End of Life) for Jetty 10 / Jetty 11 - January 2025 jetty/jetty.project#10485

If you still need javax.servlet namespace support, use the ee8 environment in Jetty 12.