[SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165

[sarutak]

What changes were proposed in this pull request?

This PR backports #32091.
This PR upgrades the version of Jetty to 9.4.39.

Why are the changes needed?

CVE-2021-28165 affects the version of Jetty that Spark uses and it seems to be a little bit serious.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28165

Does this PR introduce any user-facing change?

No.

How was this patch tested?

Existing tests.

[SparkQA]

Kubernetes integration test starting
URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/41652/

[SparkQA]

Kubernetes integration test status failure
URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/41652/

[srowen]

All the backports seem fine

[SparkQA]

Test build #137075 has finished for PR 32095 at commit 6a779f0.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[srowen]

Merged to 3.1

[dongjoon-hyun]

Thanks!

[jeffreysmooth]

Any idea when this fix will be released for the version 3.1.1?

[dongjoon-hyun]

@jeffreysmooth . Do you mean Apache Spark 3.1.2 because 3.1.1 is already released?
We are currently waiting for Apache Spark 2.4.8 release announcement because the vote passed.

Apache Spark 3.1.2 vote will start soon but currently the community is busy for DATA+AI Summit (Previously Spark summit).

[jeffreysmooth]

Thanks for the quick response. What I meant is currently CVE-2021-28165 exist in 3.1.1 version so I asked when patched version will be released since I noticed fix already been merged into 3.1. I believe 3.1.2 include this fix.