(kafka) branch 4.1 updated: KAFKA-20344: Upgrade Jetty to 12.0.34 (4.1) (#21940)

Fri, 03 Apr 2026 17:24:46 -0700 

This is an automated email from the ASF dual-hosted git repository.

payang pushed a commit to branch 4.1
in repository https://gitbox.apache.org/repos/asf/kafka.git


The following commit(s) were added to refs/heads/4.1 by this push:
     new a4ce516ac72 KAFKA-20344: Upgrade Jetty to 12.0.34 (4.1) (#21940)
a4ce516ac72 is described below

commit a4ce516ac7229baa1d61f23a9c2913ebc9d33eea
Author: Ming-Yen Chung <[email protected]>
AuthorDate: Sat Apr 4 08:24:34 2026 +0800

    KAFKA-20344: Upgrade Jetty to 12.0.34 (4.1) (#21940)
    
    Cherry-pick of #21939 to 4.1.
    
    Upgrade Jetty from 12.0.25 to 12.0.34. Jetty 12.0.34 has removed all
    dependencies on the SLF4J 2.x API, resolving the previous
    incompatibility with Kafka's SLF4J 1.7.x usage. This also fixes
    CVE-2025-11143 in jetty-http.
    
    Reviewers: Chia-Ping Tsai <[email protected]>, PoAn Yang
     <[email protected]>
---
 LICENSE-binary             | 20 ++++++++++----------
 gradle/dependencies.gradle |  8 +++-----
 2 files changed, 13 insertions(+), 15 deletions(-)

diff --git a/LICENSE-binary b/LICENSE-binary
index cbf94b92098..e42baa825d2 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -226,16 +226,16 @@ License Version 2.0:
 - jakarta.inject-api-2.0.1
 - jakarta.validation-api-3.0.2
 - javassist-3.30.2-GA
-- jetty-alpn-client-12.0.25
-- jetty-client-12.0.25
-- jetty-ee10-servlet-12.0.25
-- jetty-ee10-servlets-12.0.25
-- jetty-http-12.0.25
-- jetty-io-12.0.25
-- jetty-security-12.0.25
-- jetty-server-12.0.25
-- jetty-session-12.0.25
-- jetty-util-12.0.25
+- jetty-alpn-client-12.0.34
+- jetty-client-12.0.34
+- jetty-ee10-servlet-12.0.34
+- jetty-ee10-servlets-12.0.34
+- jetty-http-12.0.34
+- jetty-io-12.0.34
+- jetty-security-12.0.34
+- jetty-server-12.0.34
+- jetty-session-12.0.34
+- jetty-util-12.0.34
 - jose4j-0.9.6
 - jspecify-1.0.0
 - log4j-api-2.25.3
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index 3c625763a8d..8635ffc67e6 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -66,11 +66,9 @@ versions += [
   jackson: "2.19.4",
   jacoco: "0.8.13",
   javassist: "3.30.2-GA",
-  // Jetty 12.0.30+ introduced SLF4J 2.x fluent API usage (e.g. 
Logger.atDebug()) in production
-  // code, which causes NoSuchMethodError at runtime since Kafka uses SLF4J 
1.7.x.
-  // 12.0.25 is the version that includes the CVE-2025-5115 fix while only 
using the
-  // SLF4J 2.x fluent API in test code, avoiding the runtime incompatibility.
-  jetty: "12.0.25",
+  // When upgrading Jetty, verify that it does not use the SLF4J 2.x fluent API
+  // (e.g. Logger.atDebug()) in production code, as Kafka uses SLF4J 1.7.x.
+  jetty: "12.0.34",
   jersey: "3.1.10",
   jline: "3.30.4",
   jmh: "1.37",

Reply via email to