Skip to content

Commit 15b20f9

Browse files
authored
KAFKA-20168 Upgrade Jetty from 12.0.22 to 12.0.32 to fix CVE-2025-5115 (#21461)
Upgrade Jetty from 12.0.22 to 12.0.32 to address [GHSA-mmxm-8w33-wc4h](GHSA-mmxm-8w33-wc4h) (MadeYouReset HTTP/2 DoS, CVSS 7.7 HIGH). Note that GHSA-mmxm-8w33-wc4h only affects the org.eclipse.jetty.http2:jetty-http2-common module. Kafka does not depend on this module — its embedded Jetty servers (Connect RestServer and Trogdor JsonRestServer) only use HTTP/1.1 via ServerConnector without any HTTP2ServerConnectionFactory configuration. As such, the attack vector is not applicable. This upgrade from 12.0.22 to 12.0.32 is to keep the dependency up to date. 4.0: #21462 trunk: #21452 Reviewers: Chia-Ping Tsai <chia7712@gmail.com>
1 parent ebddff3 commit 15b20f9

File tree

2 files changed

+11
-11
lines changed

2 files changed

+11
-11
lines changed

LICENSE-binary

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -226,16 +226,16 @@ License Version 2.0:
226226
- jakarta.inject-api-2.0.1
227227
- jakarta.validation-api-3.0.2
228228
- javassist-3.30.2-GA
229-
- jetty-alpn-client-12.0.22
230-
- jetty-client-12.0.22
231-
- jetty-ee10-servlet-12.0.22
232-
- jetty-ee10-servlets-12.0.22
233-
- jetty-http-12.0.22
234-
- jetty-io-12.0.22
235-
- jetty-security-12.0.22
236-
- jetty-server-12.0.22
237-
- jetty-session-12.0.22
238-
- jetty-util-12.0.22
229+
- jetty-alpn-client-12.0.32
230+
- jetty-client-12.0.32
231+
- jetty-ee10-servlet-12.0.32
232+
- jetty-ee10-servlets-12.0.32
233+
- jetty-http-12.0.32
234+
- jetty-io-12.0.32
235+
- jetty-security-12.0.32
236+
- jetty-server-12.0.32
237+
- jetty-session-12.0.32
238+
- jetty-util-12.0.32
239239
- jose4j-0.9.6
240240
- jspecify-1.0.0
241241
- log4j-api-2.25.3

gradle/dependencies.gradle

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,7 @@ versions += [
6666
jackson: "2.19.4",
6767
jacoco: "0.8.13",
6868
javassist: "3.30.2-GA",
69-
jetty: "12.0.22",
69+
jetty: "12.0.32",
7070
jersey: "3.1.10",
7171
jline: "3.30.4",
7272
jmh: "1.37",

0 commit comments

Comments
 (0)