(kafka) branch 3.9 updated: KAFKA-20168 Upgrade Jetty from 9.4.57 to 9.4.58 to fix CVE-2025-5115 (#21505)

Wed, 18 Feb 2026 05:37:35 -0800 

This is an automated email from the ASF dual-hosted git repository.

chia7712 pushed a commit to branch 3.9
in repository https://gitbox.apache.org/repos/asf/kafka.git


The following commit(s) were added to refs/heads/3.9 by this push:
     new cf1835a051b KAFKA-20168 Upgrade Jetty from 9.4.57 to 9.4.58 to fix 
CVE-2025-5115 (#21505)
cf1835a051b is described below

commit cf1835a051b4fff4fbc81d7fc79d9d25c321575f
Author: Ming-Yen Chung <[email protected]>
AuthorDate: Wed Feb 18 21:35:50 2026 +0800

    KAFKA-20168 Upgrade Jetty from 9.4.57 to 9.4.58 to fix CVE-2025-5115 
(#21505)
    
    Upgrade Jetty from 9.4.57.v20241219 to 9.4.58.v20250814 to address
    
[CVE-2025-5115](https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h)
    (MadeYouReset HTTP/2 DoS, CVSS 7.7 HIGH).
    
    Note that CVE-2025-5115 only affects the `jetty-http2-common` module.
    Kafka does not depend on this module — its embedded Jetty servers
    (Connect RestServer and Trogdor JsonRestServer) only use HTTP/1.1 via
    `ServerConnector` without any `HTTP2ServerConnectionFactory`
    configuration. As such, the attack vector is not applicable. This
    upgrade is to keep the dependency up to date.
    
    trunk: https://github.com/apache/kafka/pull/21452
    4.0: https://github.com/apache/kafka/pull/21462
    4.1: https://github.com/apache/kafka/pull/21461
    
    Reviewers: Chia-Ping Tsai <[email protected]>
---
 LICENSE-binary             | 20 ++++++++++----------
 gradle/dependencies.gradle |  2 +-
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/LICENSE-binary b/LICENSE-binary
index 985f63d1985..93b003f988d 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -229,16 +229,16 @@ jackson-module-scala_2.13-2.16.2
 jackson-module-scala_2.12-2.16.2
 jakarta.validation-api-2.0.2
 javassist-3.29.2-GA
-jetty-client-9.4.57.v20241219
-jetty-continuation-9.4.57.v20241219
-jetty-http-9.4.57.v20241219
-jetty-io-9.4.57.v20241219
-jetty-security-9.4.57.v20241219
-jetty-server-9.4.57.v20241219
-jetty-servlet-9.4.57.v20241219
-jetty-servlets-9.4.57.v20241219
-jetty-util-9.4.57.v20241219
-jetty-util-ajax-9.4.57.v20241219
+jetty-client-9.4.58.v20250814
+jetty-continuation-9.4.58.v20250814
+jetty-http-9.4.58.v20250814
+jetty-io-9.4.58.v20250814
+jetty-security-9.4.58.v20250814
+jetty-server-9.4.58.v20250814
+jetty-servlet-9.4.58.v20250814
+jetty-servlets-9.4.58.v20250814
+jetty-util-9.4.58.v20250814
+jetty-util-ajax-9.4.58.v20250814
 jose4j-0.9.6
 lz4-java-1.10.1
 maven-artifact-3.9.6
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index f2e80cc1a9a..f22050ba3e0 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -100,7 +100,7 @@ versions += [
   jackson: "2.16.2",
   jacoco: "0.8.10",
   javassist: "3.29.2-GA",
-  jetty: "9.4.57.v20241219",
+  jetty: "9.4.58.v20250814",
   jersey: "2.47",
   jline: "3.25.1",
   jmh: "1.37",

Reply via email to