This is an automated email from the ASF dual-hosted git repository.
payang pushed a commit to branch 4.2
in repository https://gitbox.apache.org/repos/asf/kafka.git
The following commit(s) were added to refs/heads/4.2 by this push:
new ff8ef226244 KAFKA-20344: Upgrade Jetty to 12.0.34 (trunk, 4.3, 4.2)
(#21939)
ff8ef226244 is described below
commit ff8ef226244185a918cb9ec32755ce843dafdac1
Author: Ming-Yen Chung <[email protected]>
AuthorDate: Fri Apr 3 21:01:04 2026 +0800
KAFKA-20344: Upgrade Jetty to 12.0.34 (trunk, 4.3, 4.2) (#21939)
Upgrade Jetty from 12.0.25 to 12.0.34.
Jetty 12.0.34 has removed all dependencies on the SLF4J 2.x API,
resolving the previous incompatibility with Kafka's SLF4J 1.7.x usage.
This also fixes CVE-2025-11143 in jetty-http.
This can be cherry-picked to 4.3 and 4.2. A separate PR for 4.1: #21940.
Reviewers: PoAn Yang <[email protected]>
(cherry picked from commit 55a7c2fa74112a50afd1ced0df952460b8f8fd79)
---
LICENSE-binary | 20 ++++++++++----------
gradle/dependencies.gradle | 8 +++-----
2 files changed, 13 insertions(+), 15 deletions(-)
diff --git a/LICENSE-binary b/LICENSE-binary
index 32f38c6fbcd..0e469ac8ee6 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -226,16 +226,16 @@ License Version 2.0:
- jakarta.inject-api-2.0.1
- jakarta.validation-api-3.0.2
- javassist-3.30.2-GA
-- jetty-alpn-client-12.0.25
-- jetty-client-12.0.25
-- jetty-ee10-servlet-12.0.25
-- jetty-ee10-servlets-12.0.25
-- jetty-http-12.0.25
-- jetty-io-12.0.25
-- jetty-security-12.0.25
-- jetty-server-12.0.25
-- jetty-session-12.0.25
-- jetty-util-12.0.25
+- jetty-alpn-client-12.0.34
+- jetty-client-12.0.34
+- jetty-ee10-servlet-12.0.34
+- jetty-ee10-servlets-12.0.34
+- jetty-http-12.0.34
+- jetty-io-12.0.34
+- jetty-security-12.0.34
+- jetty-server-12.0.34
+- jetty-session-12.0.34
+- jetty-util-12.0.34
- jose4j-0.9.6
- jspecify-1.0.0
- log4j-api-2.25.3
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index ff9ee05ec87..2d387c4435a 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -67,11 +67,9 @@ versions += [
jacksonAnnotations: "2.21",
jacoco: "0.8.14",
javassist: "3.30.2-GA",
- // Jetty 12.0.30+ introduced SLF4J 2.x fluent API usage (e.g.
Logger.atDebug()) in production
- // code, which causes NoSuchMethodError at runtime since Kafka uses SLF4J
1.7.x.
- // 12.0.25 is the version that includes the CVE-2025-5115 fix while only
using the
- // SLF4J 2.x fluent API in test code, avoiding the runtime incompatibility.
- jetty: "12.0.25",
+ // When upgrading Jetty, verify that it does not use the SLF4J 2.x fluent API
+ // (e.g. Logger.atDebug()) in production code, as Kafka uses SLF4J 1.7.x.
+ jetty: "12.0.34",
jersey: "3.1.10",
jline: "3.30.4",
jmh: "1.37",
