This is an automated email from the ASF dual-hosted git repository.
zixuan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new 5b2778e8676 [fix] Upgrade Jetty to 12.1.6 to fix CVE-2026-1605 (#25485)
5b2778e8676 is described below
commit 5b2778e8676ede45025b8c94b563b8db258c50fc
Author: Matteo Merli <[email protected]>
AuthorDate: Wed Apr 8 23:49:31 2026 -0700
[fix] Upgrade Jetty to 12.1.6 to fix CVE-2026-1605 (#25485)
---
distribution/server/src/assemble/LICENSE.bin.txt | 80 ++++++++++++------------
distribution/shell/src/assemble/LICENSE.bin.txt | 24 +++----
gradle/libs.versions.toml | 2 +-
3 files changed, 53 insertions(+), 53 deletions(-)
diff --git a/distribution/server/src/assemble/LICENSE.bin.txt
b/distribution/server/src/assemble/LICENSE.bin.txt
index a5f26bc9ffe..f61d9bbafc2 100644
--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -391,43 +391,43 @@ The Apache Software License, Version 2.0
- org.asynchttpclient-async-http-client-2.12.4.jar
- org.asynchttpclient-async-http-client-netty-utils-2.12.4.jar
* Jetty
- - org.eclipse.jetty-jetty-alpn-client-12.1.5.jar
- - org.eclipse.jetty-jetty-alpn-conscrypt-server-12.1.5.jar
- - org.eclipse.jetty-jetty-alpn-server-12.1.5.jar
- - org.eclipse.jetty-jetty-annotations-12.1.5.jar
- - org.eclipse.jetty-jetty-client-12.1.5.jar
- - org.eclipse.jetty-jetty-http-12.1.5.jar
- - org.eclipse.jetty-jetty-io-12.1.5.jar
- - org.eclipse.jetty-jetty-jndi-12.1.5.jar
- - org.eclipse.jetty-jetty-plus-12.1.5.jar
- - org.eclipse.jetty-jetty-security-12.1.5.jar
- - org.eclipse.jetty-jetty-server-12.1.5.jar
- - org.eclipse.jetty-jetty-session-12.1.5.jar
- - org.eclipse.jetty-jetty-util-12.1.5.jar
- - org.eclipse.jetty-jetty-xml-12.1.5.jar
- - org.eclipse.jetty.compression-jetty-compression-common-12.1.5.jar
- - org.eclipse.jetty.compression-jetty-compression-gzip-12.1.5.jar
- - org.eclipse.jetty.compression-jetty-compression-server-12.1.5.jar
- - org.eclipse.jetty.ee-jetty-ee-webapp-12.1.5.jar
- - org.eclipse.jetty.ee8-jetty-ee8-annotations-12.1.5.jar
- - org.eclipse.jetty.ee8-jetty-ee8-nested-12.1.5.jar
- - org.eclipse.jetty.ee8-jetty-ee8-plus-12.1.5.jar
- - org.eclipse.jetty.ee8-jetty-ee8-proxy-12.1.5.jar
- - org.eclipse.jetty.ee8-jetty-ee8-security-12.1.5.jar
- - org.eclipse.jetty.ee8-jetty-ee8-servlet-12.1.5.jar
- - org.eclipse.jetty.ee8-jetty-ee8-servlets-12.1.5.jar
- - org.eclipse.jetty.ee8-jetty-ee8-webapp-12.1.5.jar
- - org.eclipse.jetty.ee8.websocket-jetty-ee8-websocket-jetty-api-12.1.5.jar
- -
org.eclipse.jetty.ee8.websocket-jetty-ee8-websocket-jetty-common-12.1.5.jar
- -
org.eclipse.jetty.ee8.websocket-jetty-ee8-websocket-jetty-server-12.1.5.jar
- - org.eclipse.jetty.ee8.websocket-jetty-ee8-websocket-servlet-12.1.5.jar
- - org.eclipse.jetty.toolchain-jetty-servlet-api-4.0.6.jar
- - org.eclipse.jetty.websocket-jetty-websocket-core-client-12.1.5.jar
- - org.eclipse.jetty.websocket-jetty-websocket-core-common-12.1.5.jar
- - org.eclipse.jetty.websocket-jetty-websocket-core-server-12.1.5.jar
- - org.eclipse.jetty.websocket-jetty-websocket-jetty-api-12.1.5.jar
- - org.eclipse.jetty.websocket-jetty-websocket-jetty-client-12.1.5.jar
- - org.eclipse.jetty.websocket-jetty-websocket-jetty-common-12.1.5.jar
+ - org.eclipse.jetty-jetty-alpn-client-12.1.6.jar
+ - org.eclipse.jetty-jetty-alpn-conscrypt-server-12.1.6.jar
+ - org.eclipse.jetty-jetty-alpn-server-12.1.6.jar
+ - org.eclipse.jetty-jetty-annotations-12.1.6.jar
+ - org.eclipse.jetty-jetty-client-12.1.6.jar
+ - org.eclipse.jetty-jetty-http-12.1.6.jar
+ - org.eclipse.jetty-jetty-io-12.1.6.jar
+ - org.eclipse.jetty-jetty-jndi-12.1.6.jar
+ - org.eclipse.jetty-jetty-plus-12.1.6.jar
+ - org.eclipse.jetty-jetty-security-12.1.6.jar
+ - org.eclipse.jetty-jetty-server-12.1.6.jar
+ - org.eclipse.jetty-jetty-session-12.1.6.jar
+ - org.eclipse.jetty-jetty-util-12.1.6.jar
+ - org.eclipse.jetty-jetty-xml-12.1.6.jar
+ - org.eclipse.jetty.compression-jetty-compression-common-12.1.6.jar
+ - org.eclipse.jetty.compression-jetty-compression-gzip-12.1.6.jar
+ - org.eclipse.jetty.compression-jetty-compression-server-12.1.6.jar
+ - org.eclipse.jetty.ee-jetty-ee-webapp-12.1.6.jar
+ - org.eclipse.jetty.ee8-jetty-ee8-annotations-12.1.6.jar
+ - org.eclipse.jetty.ee8-jetty-ee8-nested-12.1.6.jar
+ - org.eclipse.jetty.ee8-jetty-ee8-plus-12.1.6.jar
+ - org.eclipse.jetty.ee8-jetty-ee8-proxy-12.1.6.jar
+ - org.eclipse.jetty.ee8-jetty-ee8-security-12.1.6.jar
+ - org.eclipse.jetty.ee8-jetty-ee8-servlet-12.1.6.jar
+ - org.eclipse.jetty.ee8-jetty-ee8-servlets-12.1.6.jar
+ - org.eclipse.jetty.ee8-jetty-ee8-webapp-12.1.6.jar
+ - org.eclipse.jetty.ee8.websocket-jetty-ee8-websocket-jetty-api-12.1.6.jar
+ -
org.eclipse.jetty.ee8.websocket-jetty-ee8-websocket-jetty-common-12.1.6.jar
+ -
org.eclipse.jetty.ee8.websocket-jetty-ee8-websocket-jetty-server-12.1.6.jar
+ - org.eclipse.jetty.ee8.websocket-jetty-ee8-websocket-servlet-12.1.6.jar
+ - org.eclipse.jetty.toolchain-jetty-servlet-api-4.0.9.jar
+ - org.eclipse.jetty.websocket-jetty-websocket-core-client-12.1.6.jar
+ - org.eclipse.jetty.websocket-jetty-websocket-core-common-12.1.6.jar
+ - org.eclipse.jetty.websocket-jetty-websocket-core-server-12.1.6.jar
+ - org.eclipse.jetty.websocket-jetty-websocket-jetty-api-12.1.6.jar
+ - org.eclipse.jetty.websocket-jetty-websocket-jetty-client-12.1.6.jar
+ - org.eclipse.jetty.websocket-jetty-websocket-jetty-common-12.1.6.jar
* SnakeYaml -- org.yaml-snakeyaml-2.0.jar
* RocksDB - org.rocksdb-rocksdbjni-7.9.2.jar
* Google Error Prone Annotations -
com.google.errorprone-error_prone_annotations-2.45.0.jar
@@ -565,9 +565,9 @@ BSD 3-clause "New" or "Revised" License
* JLine -- jline-jline-2.14.6.jar -- ../licenses/LICENSE-JLine.txt
* JLine3 -- org.jline-jline-3.21.0.jar -- ../licenses/LICENSE-JLine.txt
* OW2 ASM
- - org.ow2.asm-asm-9.9.jar -- ../licenses/LICENSE-ASM.txt
- - org.ow2.asm-asm-commons-9.9.jar -- ../licenses/LICENSE-ASM.txt
- - org.ow2.asm-asm-tree-9.9.jar -- ../licenses/LICENSE-ASM.txt
+ - org.ow2.asm-asm-9.9.1.jar -- ../licenses/LICENSE-ASM.txt
+ - org.ow2.asm-asm-commons-9.9.1.jar -- ../licenses/LICENSE-ASM.txt
+ - org.ow2.asm-asm-tree-9.9.1.jar -- ../licenses/LICENSE-ASM.txt
BSD 2-Clause License
* HdrHistogram -- org.hdrhistogram-HdrHistogram-2.1.9.jar --
../licenses/LICENSE-HdrHistogram.txt
diff --git a/distribution/shell/src/assemble/LICENSE.bin.txt
b/distribution/shell/src/assemble/LICENSE.bin.txt
index fa10fb959e0..6aa51417695 100644
--- a/distribution/shell/src/assemble/LICENSE.bin.txt
+++ b/distribution/shell/src/assemble/LICENSE.bin.txt
@@ -402,18 +402,18 @@ The Apache Software License, Version 2.0
- async-http-client-2.12.4.jar
- async-http-client-netty-utils-2.12.4.jar
* Jetty
- - jetty-alpn-client-12.1.5.jar
- - jetty-client-12.1.5.jar
- - jetty-compression-common-12.1.5.jar
- - jetty-compression-gzip-12.1.5.jar
- - jetty-http-12.1.5.jar
- - jetty-io-12.1.5.jar
- - jetty-util-12.1.5.jar
- - jetty-websocket-core-client-12.1.5.jar
- - jetty-websocket-core-common-12.1.5.jar
- - jetty-websocket-jetty-api-12.1.5.jar
- - jetty-websocket-jetty-client-12.1.5.jar
- - jetty-websocket-jetty-common-12.1.5.jar
+ - jetty-alpn-client-12.1.6.jar
+ - jetty-client-12.1.6.jar
+ - jetty-compression-common-12.1.6.jar
+ - jetty-compression-gzip-12.1.6.jar
+ - jetty-http-12.1.6.jar
+ - jetty-io-12.1.6.jar
+ - jetty-util-12.1.6.jar
+ - jetty-websocket-core-client-12.1.6.jar
+ - jetty-websocket-core-common-12.1.6.jar
+ - jetty-websocket-jetty-api-12.1.6.jar
+ - jetty-websocket-jetty-client-12.1.6.jar
+ - jetty-websocket-jetty-common-12.1.6.jar
* SnakeYaml -- snakeyaml-2.0.jar
* Google Error Prone Annotations - error_prone_annotations-2.45.0.jar
* Javassist -- javassist-3.25.0-GA.jar
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 3e98e38cf03..fd5d8604288 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -27,7 +27,7 @@ bookkeeper = "4.17.3"
zookeeper = "3.9.5"
netty = "4.1.132.Final"
netty-iouring = "0.0.26.Final"
-jetty = "12.1.5"
+jetty = "12.1.6"
jersey = "2.42"
jackson = "2.18.6"
protobuf = "3.25.5"
