Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jetty Releases 9.4.57 #12630

Open
13 of 40 tasks
olamy opened this issue Dec 11, 2024 · 11 comments
Open
13 of 40 tasks

Jetty Releases 9.4.57 #12630

olamy opened this issue Dec 11, 2024 · 11 comments
Assignees
Labels

Comments

@olamy
Copy link
Member

olamy commented Dec 11, 2024

Jetty Versions:
This release process will produce releases: 9.4.57

Target Date:
Unspecified. Branch 9.4.x is now at End of Open Source/Community Support.

Tasks:

  • Create the release(s) issue.
  • Update the target Jetty version(s) in the issue.
  • Link this issue to the target GitHub Project(s).
  • Assign this issue to a "release manager".
  • Review draft security advisories. Ensure that issues are created and assigned to GitHub Projects to capture any advisories that will be announced.
  • Update GitHub Project(s)
    • Create new project for the next releases (not this release).
    • Ensure new project is public (not private)
    • Freeze the target GitHub Project(s) by editing their names to "Jetty X.Y.Z FROZEN"
    • Review the issues/PRs assigned to the target GitHub Project(s). Any tasks that are not-yet-started are moved to next releases.
  • Review dependabot status. Manually run dependabot if needed and review resulting PRs for inclusion.
    Such updates should only be included in the week before a release if there is a compelling security or stability reason to do so.
  • Wait 24 hours from last change to the issues/PRs included in FROZEN GitHub Project(s).
  • Verify target project(s) are complete.
  • Assign issue to "build manager", who will stage the releases.
    • Create and use branches release/<ver> to perform version specific release work from.
    • Ensure git fetch --tags (as we potentially rewrite tag when re staging local tag can be out of sync and this command will fail and so fail the release script)
    • Ensure VERSION.txt additions for each release will be meaningful, descriptive, correct text.
    • Stage 9.4 release with Java 11.
    • Push release branches release/<ver> to to https://github.com/jetty/jetty.project
    • Push release tags jetty-<ver> to https://github.com/jetty/jetty.project
    • Edit a draft release (for each Jetty release) in GitHub (https://github.com/jetty/jetty.project/releases). Content is generated with the "changelog tool".
  • Assign issue to "test manager", who will oversee the testing of the staged releases.
  • Collect release votes from committers.
  • Promote staged releases.
  • Merge release branches back to main branches and delete release branches.
  • Verify release existence in Maven Central by triggering the Jenkins builds of CometD.
  • Update Jetty versions on the website ( follow instructions in jetty-website ).
    • Update (or check) Download page is updated.
    • Update (or check) documentation page(s) are updated (if applicable for supported versions of Jetty).
  • Publish GitHub Releases.
  • Publish any security advisories.
    • Edit VERSION.txt to include any actual CVE number next to correspondent issue.
    • Edit any issues for CVEs in github with their CVE number
  • Notify downstream maintainers.
    • Docker maintainer.
@olamy olamy added the Build label Dec 11, 2024
@olamy olamy self-assigned this Dec 11, 2024
@JackieTien97
Copy link

Hi, I'm a PMC member of Apache IoTDB in which we have a dependency on jetty 9.4.56.
However, there still exists a CVE in that version which seems to be resolved in v9.4.57.
So, I’d like to ask about the progress of the 9.4.57 release. When can it be available for dependency in the Maven repository?

@olamy
Copy link
Member Author

olamy commented Dec 17, 2024

@JackieTien97, this has been delayed. You should better understand that 9.x versions have been EoCS (End of Community Support) #7958 for more than two years now.
In your interest, it would be better to upgrade to 12 (with ee8 support if you cannot upgrade to a more recent servlet API)

@JackieTien97
Copy link

ok... thx

@tarunkalra7
Copy link

@olamy Could you please update the targeted date for this?

@joakime joakime moved this to 🏗 In progress in Jetty 9.4.57 (FROZEN) Dec 19, 2024
@joakime
Copy link
Contributor

joakime commented Dec 19, 2024

@tarunkalra7 the target date is unspecified for any open source release of 9.4.x

@joakime
Copy link
Contributor

joakime commented Dec 19, 2024

@tarunkalra7 you should be using a supported version of Jetty at this point in time.
Jetty 12 is that version.

Note: if you need to stick with javax.servlet and cannot upgrade to jakarta.servlet yet, then use the ee8 environment on Jetty 12, as that still supports the older javax.servlet namespace.

@HTHou
Copy link

HTHou commented Jan 21, 2025

Hi, is jetty 9.4.57 available? I see this version is already in the maven repo.

https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-server/9.4.57.v20241219/

@tarunkalra7
Copy link

Seems to be released. Also, I can see a release tag here https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.57.v20241219

Hi, is jetty 9.4.57 available? I see this version is already in the maven repo.

https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-server/9.4.57.v20241219/

@tarunkalra7
Copy link

@olamy @joakime I can see CVE-2024-6763 against the 9.4.57 version as well. Could you please confirm?
Ref : https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-http/9.4.57.v20241219

@olamy
Copy link
Member Author

olamy commented Jan 21, 2025

If you look at commit history you will see this one dd2c253
so yes fix for this CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6763 is included in this release

@joakime
Copy link
Contributor

joakime commented Jan 21, 2025

@HTHou @tarunkalra7 Jetty 9.x is no longer supported.

You should be using a supported version of Jetty now.
Jetty 12 is that version. (Note: to maintain support for javax.servlet, use the ee8 environment on Jetty 12. The other environment are on jakarta.servlet namespace)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: 🏗 In progress
Development

No branches or pull requests

5 participants