http4s `0.22`: Add support for Jetty `12` to address `CVE-2024-6763`

[kevin-lee]

---

http4s 0.22: Add support for Jetty 12 to address CVE-2024-6763

Why?

• Jetty versions from 7.0.0 up to 12.0.11 are affected by CVE-2024-6763 (Eclipse Jetty URI parsing of invalid authority).
• http4s 0.22's http4s-jetty uses Jetty 9.
• Jetty 9's community support ended in June 2022.
• Community support for Jetty 10 and Jetty 11 ended in January 2024.
• To solve the issue, http4s should use Jetty 12, the current stable version.

Why Not Update http4s 0.23?

• Updating the 0.22 is for those who cannot use 0.23 as they are inextricably bound to cats-effect 2.
• Why not bump cats-effect to 3?
  • "IOLocal propagation for unsafe access" is not available yet. This feature is critical for companies with applications that log context-specific information using logger libraries. (e.g. https://web.archive.org/web/20230201063241/https://olegpy.com/better-logging-monix-1/)

Any Other Things to Know?

• Jetty 12 requires Java 17, so dropping support for Java 8 and 11 is necessary.
• Jetty has multiple versions supporting different versions of Jakarta EE (Java EE), but I only added support for Jakarta EE 8 to minimize changes, as the API namespace moved from javax to jakarta starting with Jakarta EE 9.

---

NOTE:

I've been working on it, and it seems to be working. I will do the same for http4s-jetty as well.

[arixmkii]

Http4s 0.22 is EOL #6334

[kevin-lee]

@arixmkii I understand that and explained the reason why I created this ticket above. Because it's EOL, I also provided the PR (#7579) to fix it.

[rossabaker]

https://github.com/http4s/http4s-jetty/releases/tag/v0.22.0