(kafka) branch 4.0 updated: KAFKA-20344: Upgrade Jetty to 12.0.34 (4.1) (#21940)

Fri, 17 Apr 2026 07:55:29 -0700 

This is an automated email from the ASF dual-hosted git repository.

mimaison pushed a commit to branch 4.0
in repository https://gitbox.apache.org/repos/asf/kafka.git


The following commit(s) were added to refs/heads/4.0 by this push:
     new ef7b2b57c08 KAFKA-20344: Upgrade Jetty to 12.0.34 (4.1) (#21940)
ef7b2b57c08 is described below

commit ef7b2b57c087cf1244bc2da3b537c893d94108d5
Author: Ming-Yen Chung <[email protected]>
AuthorDate: Sat Apr 4 08:24:34 2026 +0800

    KAFKA-20344: Upgrade Jetty to 12.0.34 (4.1) (#21940)
    
    Cherry-pick of #21939 to 4.1.
    
    Upgrade Jetty from 12.0.25 to 12.0.34. Jetty 12.0.34 has removed all
    dependencies on the SLF4J 2.x API, resolving the previous
    incompatibility with Kafka's SLF4J 1.7.x usage. This also fixes
    CVE-2025-11143 in jetty-http.
    
    Reviewers: Chia-Ping Tsai <[email protected]>, PoAn Yang
     <[email protected]>
---
 LICENSE-binary             | 20 ++++++++++----------
 gradle/dependencies.gradle |  8 +++-----
 2 files changed, 13 insertions(+), 15 deletions(-)

diff --git a/LICENSE-binary b/LICENSE-binary
index daeb31876b0..93a1e09ee30 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -225,16 +225,16 @@ License Version 2.0:
 - jakarta.inject-api-2.0.1
 - jakarta.validation-api-3.0.2
 - javassist-3.29.2-GA
-- jetty-alpn-client-12.0.25
-- jetty-client-12.0.25
-- jetty-ee10-servlet-12.0.25
-- jetty-ee10-servlets-12.0.25
-- jetty-http-12.0.25
-- jetty-io-12.0.25
-- jetty-security-12.0.25
-- jetty-server-12.0.25
-- jetty-session-12.0.25
-- jetty-util-12.0.25
+- jetty-alpn-client-12.0.34
+- jetty-client-12.0.34
+- jetty-ee10-servlet-12.0.34
+- jetty-ee10-servlets-12.0.34
+- jetty-http-12.0.34
+- jetty-io-12.0.34
+- jetty-security-12.0.34
+- jetty-server-12.0.34
+- jetty-session-12.0.34
+- jetty-util-12.0.34
 - jose4j-0.9.4
 - log4j-api-2.25.3
 - log4j-core-2.25.3
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index 07595b227a9..a2f11b4624d 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -69,11 +69,9 @@ versions += [
   jackson: "2.18.6",
   jacoco: "0.8.10",
   javassist: "3.29.2-GA",
-  // Jetty 12.0.30+ introduced SLF4J 2.x fluent API usage (e.g. 
Logger.atDebug()) in production
-  // code, which causes NoSuchMethodError at runtime since Kafka uses SLF4J 
1.7.x.
-  // 12.0.25 is the version that includes the CVE-2025-5115 fix while only 
using the
-  // SLF4J 2.x fluent API in test code, avoiding the runtime incompatibility.
-  jetty: "12.0.25",
+  // When upgrading Jetty, verify that it does not use the SLF4J 2.x fluent API
+  // (e.g. Logger.atDebug()) in production code, as Kafka uses SLF4J 1.7.x.
+  jetty: "12.0.34",
   jersey: "3.1.10",
   jline: "3.25.1",
   jmh: "1.37",

Reply via email to