[BugFix][CVE-2026-24281] upgrade zookeeper to 3.8.6/3.9.5

[andyziye]

What type of PR is this?

Bug Fix

Why I'm doing this

Two HIGH severity CVEs detected in org.apache.zookeeper:zookeeper on branch-4.0:

CVE	Severity	Installed	Fixed
CVE-2026-24281	HIGH	3.8.4 / 3.9.3	3.8.6, 3.9.5
CVE-2026-24308	HIGH	3.8.4 / 3.9.3	3.8.6, 3.9.5

Detected by Trivy in inspection BUILD job:
https://github.com/StarRocks/starrocks/actions/runs/23897903395/job/69687010595

Fixes #71266

What this PR does

• Pin org.apache.zookeeper:zookeeper to 3.8.6 via dependencyManagement in fe/pom.xml and java-extensions/pom.xml (overrides transitive 3.8.4 pulled in via hadoop-common 3.4.3)
• Upgrade zookeeper.version from 3.9.3 → 3.9.5 in fs_brokers/apache_hdfs_broker/src/pom.xml

Does this PR introduce any user-facing change?

No

Checklist

• I have added test cases for my bug fix or new feature
• This bugfix is accompanied by an issue [CVE][CVE-2026-24281][CVE-2026-24308] zookeeper #71266

🤖 Generated with Claude Code

[CelerData-Reviewer]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. 🎉

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".