Fix CVE-2026-24308: Upgrade Apache ZooKeeper to 3.8.6

[ashwintumma23]

Description

Upgrades org.apache.zookeeper from 3.8.4 to 3.8.6 to remediate CVE-2026-24308.

CVE Details

CVE-2026-24308 — Insertion of Sensitive Information into Log File (CWE-532) in Apache ZooKeeper

• Affected versions: Apache ZooKeeper 3.8.0 through 3.8.5, and 3.9.0 through 3.9.4
• Fixed in: 3.8.6 (or 3.9.5)
• Description: ZKConfig improperly logs configuration values at INFO level, exposing sensitive information — such as credentials stored in client configuration files — through client log files.

Fixed the bug ...

Renamed the class ...

Added a forbidden-apis entry ...

Release note

Upgrades org.apache.zookeeper from 3.8.4 to 3.8.6 to remediate CVE-2026-24308.

---

Key changed/added classes in this PR

• Top Level pom.xml
• Top Level licenses.yaml

---

This PR has:

• been self-reviewed.
  • using the concurrency checklist (Remove this item if the PR doesn't have any relation to concurrency.)
• added documentation for new or modified features or behaviors.
• a release note entry in the PR description.
• added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
• added or updated version, license, or notice information in licenses.yaml
• added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
• added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
• added integration tests.
• been tested in a test Druid cluster.

[abhishekrb19]

Thanks @ashwintumma23. Per this comment:

1. I don't think the docs need an update anymore with this change - docs: update zookeeper version #18836
2. There's no integration-tests/docker-base/setup.sh, I think it should be this https://github.com/apache/druid/blob/master/integration-tests/docker/base-setup.sh?

Overall I think this existing comment may just be stale. Could we update or remove as needed?

[ashwintumma23]

Thanks for the review, @abhishekrb19 !

• Agreed on both points — removed the stale comment.
• The docs no longer need a manual update per docs: update zookeeper version #18836.
• As for the integration tests, ZK_VERSION is sourced transitively from this property: integration-tests/pom.xml maps it as <ZK_VERSION>${zookeeper.version}</ZK_VERSION> via the Failsafe plugin, which exports it into the shell environment. docker_build_containers.sh then passes it through as --build-arg ZK_VERSION, and Dockerfile picks it up as ARG ZK_VERSION before base-setup.sh consumes it. So updating the root pom.xml property is sufficient.

[abhishekrb19]

3.8.6 is the latest stable release and from going through the release notes for 3.8.5 and 3.8.6 and it looks fine to me.