fix(security): upgrade Jetty 11.0.26 -> 12.0.35 to fix CVE-2026-2332#2894
Open
srujana-kuntumalla wants to merge 7 commits into
Open
fix(security): upgrade Jetty 11.0.26 -> 12.0.35 to fix CVE-2026-2332#2894srujana-kuntumalla wants to merge 7 commits into
srujana-kuntumalla wants to merge 7 commits into
Conversation
CVE-2026-2332 (CVSS 9.1, CWE-444): HTTP/1.1 request smuggling via improper chunk-extension parsing. Jetty 11.x is EOL with no backport; the fix is in Jetty 12.0.33+. Jetty 12.0.x requires Java 17, same minimum as this project. Changes: - tika-parent/pom.xml: jetty.version 11.0.26 -> 12.0.35; rename http2 artifacts (http2-* -> jetty-http2-*); upgrade cxf.version 4.0.11 -> 4.1.7 (CXF 4.1.x targets Jetty 12); upgrade solrj.version 9.10.1 -> 10.0.0 (SolrJ 9 bundles Jetty 11 client APIs incompatible with Jetty 12) - tika-server-core/pom.xml: use renamed jetty-http2-server; add jakarta.servlet-api 6.0.0 (Jetty 12 no longer bundles the EE9 servlet JAR) - SolrEmitter.java, SolrPipesIterator.java: Http2SolrClient -> HttpJettySolrClient, LBHttpSolrClient -> LBJettySolrClient (SolrJ 10 renames) - tika-pipes-solr/pom.xml, tika-pipes-solr-integration-tests/pom.xml: add solr-solrj-jetty (SolrJ 10 split Jetty client classes into a separate module) - TikaPipesSolrTestBase.java: Http2SolrClient -> HttpJettySolrClient - PipesBiDirectionalStreamingIntegrationTest.java: PathResource (removed in Jetty 12) -> ResourceHandler.setBaseResourceAsString() Note: LBJettySolrClient no longer accepts Apache HttpClient; proxy/auth configuration via HttpClientFactory needs follow-up work (marked with TODOs). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Compilation revealed that SolrJ 10 moved classes to new packages: - HttpJettySolrClient, LBJettySolrClient: org.apache.solr.client.solrj.impl -> org.apache.solr.client.solrj.jetty - SolrQuery: org.apache.solr.client.solrj -> org.apache.solr.client.solrj.request - LBJettySolrClient.Builder now takes (HttpJettySolrClient, Endpoint...) in its constructor rather than a fluent withBaseEndpoints(); endpoints passed inline - Proxy is now configured via HttpJettySolrClient.Builder.withProxyConfiguration() natively, removing the dependency on Apache HttpClient for proxy/auth - CloudSolrClient.Builder.withInternalClientBuilder() confirmed present and used for the ZooKeeper path Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
|
here's what copilot wrote about the fail: === The failure is in
Root causeThe test/runtime code expects SolrJ class SolutionUpdate the ZK-based Solr client initialization to use the newer SolrJ API ( Code suggestion (replace reflective/direct usage of
|
In SolrJ 10, ZkClientClusterStateProvider was moved from solr-solrj into a separate solr-solrj-zookeeper module. Without it on the classpath, the ZK code path in CloudSolrClient.Builder.build() throws ClassNotFoundException at runtime. This was caught by TikaPipesSolr8ZkTest in CI. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR migrates Apache Tika’s Jetty dependency line from 11.x to Jetty 12.0.35 to address CVE-2026-2332 (HTTP/1.1 request smuggling), and updates dependent components (CXF and SolrJ) to compatible versions/modules.
Changes:
- Upgrade Jetty to 12.0.35 (and rename Jetty HTTP/2 artifacts), plus upgrade CXF to 4.1.7.
- Upgrade SolrJ to 10.0.0 and update Solr Pipes emitter/iterator and integration tests to SolrJ 10’s Jetty client classes/modules.
- Update gRPC integration test to Jetty 12 resource handler API (
setBaseResourceAsString).
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
tika-parent/pom.xml |
Bumps Jetty/CXF/SolrJ versions and updates Jetty HTTP/2 artifact coordinates; adjusts OSS Index exclusions. |
tika-server/tika-server-core/pom.xml |
Switches to renamed Jetty HTTP/2 server artifact and adds jakarta.servlet-api dependency for Jetty 12. |
tika-pipes/tika-pipes-plugins/tika-pipes-solr/src/main/java/org/apache/tika/pipes/emitter/solr/SolrEmitter.java |
Migrates Solr emitter from Http2 Solr client APIs to SolrJ 10 Jetty client APIs; adds proxy/basic auth wiring. |
tika-pipes/tika-pipes-plugins/tika-pipes-solr/src/main/java/org/apache/tika/pipes/iterator/solr/SolrPipesIterator.java |
Migrates Solr iterator to SolrJ 10 Jetty client APIs; updates LB client creation and proxy/basic auth wiring. |
tika-pipes/tika-pipes-plugins/tika-pipes-solr/pom.xml |
Adds SolrJ 10 split modules (solr-solrj-jetty, solr-solrj-zookeeper). |
tika-integration-tests/tika-pipes-solr-integration-tests/src/test/java/org/apache/tika/pipes/solr/tests/TikaPipesSolrTestBase.java |
Updates tests to use HttpJettySolrClient and updated SolrQuery import location. |
tika-integration-tests/tika-pipes-solr-integration-tests/pom.xml |
Adds SolrJ 10 split modules for test scope. |
tika-grpc/src/test/java/org/apache/tika/pipes/grpc/PipesBiDirectionalStreamingIntegrationTest.java |
Replaces removed Jetty 12 PathResource usage with ResourceHandler.setBaseResourceAsString(). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Move jakarta.servlet-api version management to tika-parent/pom.xml
dependencyManagement; remove hardcoded 6.0.0 from tika-server-core
- Replace hardcoded 12.0.35 with \${jetty.http2.version} in OSS Index exclusion
- Validate auth scheme in SolrEmitter and SolrPipesIterator: throw
TikaConfigException if a non-basic scheme is configured, since
HttpJettySolrClient only supports basic auth
- Guard proxy configuration in both files: skip withProxyConfiguration()
when port is null/zero to avoid silently misconfiguring the Jetty client
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Extract applyAuthAndProxy helper in SolrEmitter and SolrPipesIterator to eliminate duplicated auth-scheme validation and proxy-port guard across the ZK and LB client branches - Update stale SolrJ version comment in tika-parent/pom.xml: replace "needs rework in a follow-up" with the actual current behaviour (basic auth and proxy wired; non-basic schemes rejected at startup) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
SolrEmitter and SolrPipesIterator both configure withRequestTimeout on the ZooKeeper-based CloudSolrClient path but omitted it on the direct-URL LBJettySolrClient path, allowing requests to hang indefinitely. Apply the same HttpClientFactory request timeout consistently across both paths. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… ZK path - Extract applyAuthAndProxy into SolrClientHelper to eliminate identical auth/proxy logic duplicated between SolrEmitter and SolrPipesIterator; helper reads proxy from HttpClientFactory directly (both callers already copy proxy config into the factory before building the Jetty client) - Add missing withIdleTimeout to the ZK (CloudSolrClient) path in both classes so all three timeouts (request, connection, idle) are applied consistently across both ZK and LB paths Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Changes
tika-parent/pom.xmljetty.version11.0.26 → 12.0.35; renamehttp2-*artifacts tojetty-http2-*;cxf.version4.0.11 → 4.1.7;solrj.version9.10.1 → 10.0.0; centralisejakarta.servlet-apiversion management; use${jetty.http2.version}in OSS Index exclusiontika-server/tika-server-core/pom.xmljetty-http2-server; addjakarta.servlet-api(Jetty 12 no longer bundles the EE9 servlet JAR; version managed in parent)SolrEmitter.java,SolrPipesIterator.javaHttp2SolrClient→HttpJettySolrClient,LBHttpSolrClient→LBJettySolrClient(SolrJ 10 renames); proxy configured via native Jetty API (withProxyConfiguration), skipped when port is unset; non-basic auth schemes rejected early withTikaConfigExceptionsinceHttpJettySolrClientonly supports basic authtika-pipes-solr/pom.xml,tika-pipes-solr-integration-tests/pom.xmlsolr-solrj-jettyandsolr-solrj-zookeeper(SolrJ 10 moved Jetty client and ZK classes to separate modules)TikaPipesSolrTestBase.javaHttp2SolrClient→HttpJettySolrClientPipesBiDirectionalStreamingIntegrationTest.javaPathResource(removed in Jetty 12) →ResourceHandler.setBaseResourceAsString()Test plan
./mvnw verify -pl tika-parent,tika-core,tika-server/tika-server-core -DskipTests— validate POM changes compile./mvnw test -pl tika-pipes/tika-pipes-plugins/tika-pipes-solr— Solr emitter/iterator unit tests./mvnw test -pl tika-grpc— gRPC streaming integration test with Jetty 12 HTTP server./mvnw verify -pl tika-integration-tests/tika-pipes-solr-integration-tests— Solr integration tests (requires Docker)🤖 Generated with Claude Code