From 042a016360e126fb2d80bbba426e2e950e499b6e Mon Sep 17 00:00:00 2001
From: Erik Merkle <erik.merkle@datastax.com>
Date: Thu, 5 Feb 2026 09:33:56 -0600
Subject: [PATCH] Update Release notes for DSE 6.8 and 6.9

This patch removes CVE-2024-6763 as fixed in 6.8.58 and 6.9.10 as scan
have shown there is still an older version of Jetty being shipped. This
will be addressed in the next releases of each.

Also, CVE-2024-47554 is removed as Apache commins-io version 2.8.0 is
still being pulled in via gremlin-console. This too will be addressed in
the next release of each.
---
 DSE_6.8_Release_Notes.md | 1 -
 DSE_6.9_Release_Notes.md | 1 -
 2 files changed, 2 deletions(-)

diff --git a/DSE_6.8_Release_Notes.md b/DSE_6.8_Release_Notes.md
index 249dc8f..cb32264 100644
--- a/DSE_6.8_Release_Notes.md
+++ b/DSE_6.8_Release_Notes.md
@@ -133,7 +133,6 @@ If you're developing applications, please refer to the [Java Driver documentatio
 
 ## 6.8.58 DSE CVE
 * Upgraded the `net.minidev:json-smart` Java JSON parser package to version `2.5.2` to resolve a Denial of Service (DoS) vulnerability. (DSP-24851, [CVE-2024-57699](https://nvd.nist.gov/vuln/detail/CVE-2024-57699))
-* Upgraded Jetty to version `9.4.57.v20241219` and Apache Commons IO to version `2.19.0`. (DSP-24855, [CVE-2024-6763](https://nvd.nist.gov/vuln/detail/CVE-2024-6763), [CVE-2024-47554](https://nvd.nist.gov/vuln/detail/CVE-2024-47554))
 * Upgraded the Apache Commons BeanUtils library to version `1.11.0` to resolve a vulnerability. (DSP-24857, [CVE-2025-48734](https://nvd.nist.gov/vuln/detail/CVE-2025-48734))
 * Upgraded Netty to version `4.1.119.1.dse`, which is based on version `4.1.119.Final`. (DSP-24850, [CVE-2025-24970](https://nvd.nist.gov/vuln/detail/CVE-2025-24970))
 * Upgraded the protocol buffers (protobuf) to version `4.29.4` to support DSE core workloads. (DSP-24853, [CVE-2024-7254](https://nvd.nist.gov/vuln/detail/CVE-2024-7254))
diff --git a/DSE_6.9_Release_Notes.md b/DSE_6.9_Release_Notes.md
index 949d855..f3e3c98 100644
--- a/DSE_6.9_Release_Notes.md
+++ b/DSE_6.9_Release_Notes.md
@@ -217,7 +217,6 @@ If you're developing applications, please refer to the [Java Driver documentatio
 
 ## 6.9.10 DSE CVE
 * Upgraded the `net.minidev:json-smart` Java JSON parser package to version `2.5.2`. (DSP-24851, [CVE-2024-57699](https://nvd.nist.gov/vuln/detail/CVE-2024-57699))
-* Upgraded Jetty to version `9.4.57.v20241219` and Apache Commons IO to version `2.19.0`. (DSP-24855, [CVE-2024-6763](https://nvd.nist.gov/vuln/detail/CVE-2024-6763), [CVE-2024-47554](https://nvd.nist.gov/vuln/detail/CVE-2024-47554))
 * Upgraded the Apache Commons BeanUtils library to version `1.11.0` to resolve a vulnerability. (DSP-24857, [CVE-2025-48734](https://nvd.nist.gov/vuln/detail/CVE-2025-48734))
 * Upgraded Netty to version `4.1.119.1.dse`, which is based on version `4.1.119.Final`. (DSP-24850, [CVE-2025-24970](https://nvd.nist.gov/vuln/detail/CVE-2025-24970))
 * Upgraded the protocol buffers (protobuf) to version `4.29.4` to support DSE core workloads. (DSP-24853, [CVE-2024-7254](https://nvd.nist.gov/vuln/detail/CVE-2024-7254))