KAFKA-20168: Upgrade Jetty from 12.0.22 to 12.0.32 to fix CVE-2025-5115 (4.0) (#21462)

Upgrade Jetty from 12.0.22 to 12.0.32 to address

[GHSA-mmxm-8w33-wc4h](GHSA-mmxm-8w33-wc4h)
(MadeYouReset HTTP/2 DoS, CVSS 7.7 HIGH).

Note that GHSA-mmxm-8w33-wc4h only affects
the
org.eclipse.jetty.http2:jetty-http2-common module. Kafka does not
depend on this module — its embedded Jetty servers (Connect RestServer
and Trogdor JsonRestServer) only use HTTP/1.1 via ServerConnector
without any HTTP2ServerConnectionFactory
configuration. As such, the attack vector is not applicable. This
upgrade from 12.0.22 to 12.0.32 is to keep the dependency up to date.

4.1: #21461
trunk: #21452

Reviewers: Viktor Somogyi-Vass <viktorsomogyi@gmail.com>

---------

Co-authored-by: Viktor Somogyi-Vass <viktorsomogyi@gmail.com>

Author: mingyen066

LICENSE-binary

@@ -225,16 +225,16 @@ License Version 2.0:
 - jakarta.inject-api-2.0.1
 - jakarta.validation-api-3.0.2
 - javassist-3.29.2-GA
-- jetty-alpn-client-12.0.15
-- jetty-client-12.0.15
-- jetty-ee10-servlet-12.0.15
-- jetty-ee10-servlets-12.0.15
-- jetty-http-12.0.15
-- jetty-io-12.0.15
-- jetty-security-12.0.15
-- jetty-server-12.0.15
-- jetty-session-12.0.15
-- jetty-util-12.0.15
+- jetty-alpn-client-12.0.32
+- jetty-client-12.0.32
+- jetty-ee10-servlet-12.0.32
+- jetty-ee10-servlets-12.0.32
+- jetty-http-12.0.32
+- jetty-io-12.0.32
+- jetty-security-12.0.32
+- jetty-server-12.0.32
+- jetty-session-12.0.32
+- jetty-util-12.0.32
 - jose4j-0.9.4
 - log4j-api-2.25.3
 - log4j-core-2.25.3

gradle/dependencies.gradle

@@ -69,7 +69,7 @@ versions += [
   jackson: "2.16.2",
   jacoco: "0.8.10",
   javassist: "3.29.2-GA",
-  jetty: "12.0.15",
+  jetty: "12.0.32",
   jersey: "3.1.10",
   jline: "3.25.1",
   jmh: "1.37",