GEODE-10568: Remediation of CVE-2026-1605 and CVE-2025-11143 (#7992)

* GEODE-10568: Upgrade Jetty to 12.0.33

* GEODE-10568: Update integration test snapshots for Jetty 12.0.33

Author: JinwooHwang

build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy

@@ -82,7 +82,7 @@ class DependencyConstraints {
     // at o.a.g.sessions.tests.GenericAppServerInstall.java
     // Jetty 12.0.x for Jakarta EE 10 (Servlet 6.0) compatibility
     // Jetty 12 reorganized modules under ee10, ee9, ee8 packages
-    deps.put("jetty.version", "12.0.27")
+    deps.put("jetty.version", "12.0.33")
 
     // These versions are referenced in test.gradle, which is aggressively injected into all projects.
     deps.put("junit.version", "4.13.2")

geode-assembly/src/distributedTest/java/org/apache/geode/session/tests/GenericAppServerInstall.java

@@ -34,7 +34,7 @@
  * specific code outside of the {@link GenericAppServerVersion}.
  */
 public class GenericAppServerInstall extends ContainerInstall {
-  private static final String JETTY_VERSION = "12.0.27";
+  private static final String JETTY_VERSION = "12.0.33";
 
   /**
    * Get the version number, download URL, and container name of a generic app server using

geode-assembly/src/integrationTest/resources/assembly_content.txt

@@ -920,9 +920,9 @@ lib/ST4-4.3.3.jar
 lib/angus-activation-2.0.0.jar
 lib/antlr-2.7.7.jar
 lib/antlr-runtime-3.5.2.jar
-lib/asm-9.8.jar
-lib/asm-commons-9.8.jar
-lib/asm-tree-9.8.jar
+lib/asm-9.9.1.jar
+lib/asm-commons-9.9.1.jar
+lib/asm-tree-9.9.1.jar
 lib/classgraph-4.8.147.jar
 lib/classmate-1.5.1.jar
 lib/commons-beanutils-1.11.0.jar
@@ -985,20 +985,20 @@ lib/jakarta.xml.bind-api-4.0.2.jar
 lib/jaxb-core-4.0.2.jar
 lib/jaxb-runtime-4.0.2.jar
 lib/jboss-logging-3.4.3.Final.jar
-lib/jetty-ee-12.0.27.jar
-lib/jetty-ee10-annotations-12.0.27.jar
-lib/jetty-ee10-plus-12.0.27.jar
-lib/jetty-ee10-servlet-12.0.27.jar
-lib/jetty-ee10-webapp-12.0.27.jar
-lib/jetty-http-12.0.27.jar
-lib/jetty-io-12.0.27.jar
-lib/jetty-jndi-12.0.27.jar
-lib/jetty-plus-12.0.27.jar
-lib/jetty-security-12.0.27.jar
-lib/jetty-server-12.0.27.jar
-lib/jetty-session-12.0.27.jar
-lib/jetty-util-12.0.27.jar
-lib/jetty-xml-12.0.27.jar
+lib/jetty-ee-12.0.33.jar
+lib/jetty-ee10-annotations-12.0.33.jar
+lib/jetty-ee10-plus-12.0.33.jar
+lib/jetty-ee10-servlet-12.0.33.jar
+lib/jetty-ee10-webapp-12.0.33.jar
+lib/jetty-http-12.0.33.jar
+lib/jetty-io-12.0.33.jar
+lib/jetty-jndi-12.0.33.jar
+lib/jetty-plus-12.0.33.jar
+lib/jetty-security-12.0.33.jar
+lib/jetty-server-12.0.33.jar
+lib/jetty-session-12.0.33.jar
+lib/jetty-util-12.0.33.jar
+lib/jetty-xml-12.0.33.jar
 lib/jgroups-3.6.20.Final.jar
 lib/jline-builtins-3.26.3.jar
 lib/jline-console-3.26.3.jar

geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt

@@ -79,23 +79,23 @@ micrometer-core-1.14.0.jar
 HdrHistogram-2.2.2.jar
 fastutil-8.5.8.jar
 jakarta.resource-api-2.1.0.jar
-jetty-ee10-annotations-12.0.27.jar
-jetty-ee10-plus-12.0.27.jar
+jetty-ee10-annotations-12.0.33.jar
+jetty-ee10-plus-12.0.33.jar
 jakarta.enterprise.cdi-api-4.0.1.jar
 jakarta.interceptor-api-2.1.0.jar
 jakarta.annotation-api-2.1.1.jar
-jetty-ee10-webapp-12.0.27.jar
-jetty-ee10-servlet-12.0.27.jar
+jetty-ee10-webapp-12.0.33.jar
+jetty-ee10-servlet-12.0.33.jar
 jakarta.servlet-api-6.0.0.jar
 jakarta.transaction-api-2.0.1.jar
 joda-time-2.12.7.jar
 jna-platform-5.11.0.jar
 jna-5.11.0.jar
-jetty-ee-12.0.27.jar
-jetty-session-12.0.27.jar
-jetty-plus-12.0.27.jar
-jetty-security-12.0.27.jar
-jetty-server-12.0.27.jar
+jetty-ee-12.0.33.jar
+jetty-session-12.0.33.jar
+jetty-plus-12.0.33.jar
+jetty-security-12.0.33.jar
+jetty-server-12.0.33.jar
 snappy-0.5.jar
 jgroups-3.6.20.Final.jar
 shiro-cache-1.13.0.jar
@@ -105,13 +105,13 @@ shiro-config-core-1.13.0.jar
 shiro-event-1.13.0.jar
 shiro-crypto-core-1.13.0.jar
 shiro-lang-1.13.0.jar
-jetty-xml-12.0.27.jar
-jetty-http-12.0.27.jar
-jetty-io-12.0.27.jar
+jetty-xml-12.0.33.jar
+jetty-http-12.0.33.jar
+jetty-io-12.0.33.jar
 spring-boot-starter-logging-3.3.5.jar
 jul-to-slf4j-2.0.16.jar
-jetty-jndi-12.0.27.jar
-jetty-util-12.0.27.jar
+jetty-jndi-12.0.33.jar
+jetty-util-12.0.33.jar
 slf4j-api-2.0.17.jar
 micrometer-observation-1.14.0.jar
 spring-jcl-6.1.14.jar
@@ -126,9 +126,9 @@ jline-terminal-3.26.3.jar
 ST4-4.3.3.jar
 txw2-4.0.2.jar
 snakeyaml-2.3.jar
-asm-commons-9.8.jar
-asm-tree-9.8.jar
-asm-9.8.jar
+asm-commons-9.9.1.jar
+asm-tree-9.9.1.jar
+asm-9.9.1.jar
 reactive-streams-1.0.4.jar
 jline-native-3.26.3.jar
 antlr-runtime-3.5.2.jar

geode-server-all/src/integrationTest/resources/dependency_classpath.txt

@@ -48,10 +48,10 @@ spring-shell-core-3.3.3.jar
 commons-io-2.19.0.jar
 micrometer-core-1.14.0.jar
 jakarta.resource-api-2.1.0.jar
-jetty-ee10-annotations-12.0.27.jar
+jetty-ee10-annotations-12.0.33.jar
 spring-boot-starter-validation-3.3.5.jar
 spring-boot-starter-3.3.5.jar
-jetty-ee10-plus-12.0.27.jar
+jetty-ee10-plus-12.0.33.jar
 jakarta.enterprise.cdi-api-4.0.1.jar
 jakarta.interceptor-api-2.1.0.jar
 jakarta.annotation-api-2.1.1.jar
@@ -89,37 +89,37 @@ commons-collections-3.2.2.jar
 commons-digester-2.1.jar
 commons-logging-1.3.5.jar
 HdrHistogram-2.2.2.jar
-jetty-ee10-webapp-12.0.27.jar
-jetty-ee10-servlet-12.0.27.jar
+jetty-ee10-webapp-12.0.33.jar
+jetty-ee10-servlet-12.0.33.jar
 jakarta.servlet-api-6.0.0.jar
 joda-time-2.12.7.jar
-jetty-ee-12.0.27.jar
-jetty-session-12.0.27.jar
-jetty-plus-12.0.27.jar
-jetty-security-12.0.27.jar
-jetty-server-12.0.27.jar
+jetty-ee-12.0.33.jar
+jetty-session-12.0.33.jar
+jetty-plus-12.0.33.jar
+jetty-security-12.0.33.jar
+jetty-server-12.0.33.jar
 shiro-cache-1.13.0.jar
 shiro-crypto-hash-1.13.0.jar
 shiro-crypto-cipher-1.13.0.jar
 shiro-config-core-1.13.0.jar
 shiro-event-1.13.0.jar
 shiro-crypto-core-1.13.0.jar
 shiro-lang-1.13.0.jar
-jetty-xml-12.0.27.jar
-jetty-http-12.0.27.jar
-jetty-io-12.0.27.jar
-jetty-jndi-12.0.27.jar
-jetty-util-12.0.27.jar
+jetty-xml-12.0.33.jar
+jetty-http-12.0.33.jar
+jetty-io-12.0.33.jar
+jetty-jndi-12.0.33.jar
+jetty-util-12.0.33.jar
 spring-boot-starter-logging-3.3.5.jar
 jul-to-slf4j-2.0.16.jar
 slf4j-api-2.0.17.jar
 micrometer-observation-1.14.0.jar
 micrometer-commons-1.14.0.jar
 LatencyUtils-2.0.3.jar
 spring-jcl-6.1.14.jar
-asm-commons-9.8.jar
-asm-tree-9.8.jar
-asm-9.8.jar
+asm-commons-9.9.1.jar
+asm-tree-9.9.1.jar
+asm-9.9.1.jar
 txw2-4.0.2.jar
 reactor-core-3.6.10.jar
 jline-console-3.26.3.jar