chia7712 commented on PR #21452: URL: https://github.com/apache/kafka/pull/21452#issuecomment-3950090058
> Looking at the CVE though it seems like Jetty 12.0.22 already has this fix too. The security fix mentioned by is actually available starting from 12.0.25 see https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h It seems we might have overlooked the SLF4J dependency constrains when discussing KIP-1032. The fluent API usage that @omkreddy pointed out was introduced in https://github.com/jetty/jetty.project/commit/1d1d1a90c81a1df0b539aa8593bdb7907200bd07 and was pushed to Jetty 12.0.30+ I've cross-checked the source code of Jetty 12.0.25, and it appears the Fluent API was only used in their test code at that point, which wouldn't trigger the `NoSuchMethodError` at runtime for us https://github.com/jetty/jetty.project/commit/c112a1c5380153f708fcf47b8d25588801eb842f Since upgrading to SLF4J is not an option for Kafka at this moment, the most straightforward solution is to downgrade Jetty to 12.0.25. This keeps us on Jetty 12 as per KIP-1032 and ensure we have the necessary CVE fixes without SLF4J 1.x incompatibility @omkreddy @viktorsomogyi WDYT? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
