(kafka) branch 4.2 updated: KAFKA-20168 Downgrade Jetty from 12.0.32 to 12.0.25 to fix SLF4J 2.x incompatibility (#21559)

Tue, 24 Feb 2026 21:32:06 -0800 

This is an automated email from the ASF dual-hosted git repository.

chia7712 pushed a commit to branch 4.2
in repository https://gitbox.apache.org/repos/asf/kafka.git


The following commit(s) were added to refs/heads/4.2 by this push:
     new a8c726a3c22 KAFKA-20168 Downgrade Jetty from 12.0.32 to 12.0.25 to fix 
SLF4J 2.x incompatibility (#21559)
a8c726a3c22 is described below

commit a8c726a3c22fe7b29e25365de9180c5e41360d7c
Author: Ming-Yen Chung <[email protected]>
AuthorDate: Wed Feb 25 13:24:42 2026 +0800

    KAFKA-20168 Downgrade Jetty from 12.0.32 to 12.0.25 to fix SLF4J 2.x 
incompatibility (#21559)
    
    Jetty 12.0.30+ introduced SLF4J 2.x fluent API usage
    (`Logger.atDebug()`) which causes `NoSuchMethodError` at runtime since
    Kafka still uses SLF4J 1.7.x. Downgrade to 12.0.25 which includes the
    CVE-2025-5115 fix without the SLF4J 2.x incompatibility.
    
    The issue was discovered and discussed in
    https://github.com/apache/kafka/pull/21452#issuecomment-3943544053.
    
    Reviewers: Chia-Ping Tsai <[email protected]>
---
 LICENSE-binary             | 20 ++++++++++----------
 gradle/dependencies.gradle |  6 +++++-
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/LICENSE-binary b/LICENSE-binary
index 493b835045d..c14436f42d5 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -226,16 +226,16 @@ License Version 2.0:
 - jakarta.inject-api-2.0.1
 - jakarta.validation-api-3.0.2
 - javassist-3.30.2-GA
-- jetty-alpn-client-12.0.32
-- jetty-client-12.0.32
-- jetty-ee10-servlet-12.0.32
-- jetty-ee10-servlets-12.0.32
-- jetty-http-12.0.32
-- jetty-io-12.0.32
-- jetty-security-12.0.32
-- jetty-server-12.0.32
-- jetty-session-12.0.32
-- jetty-util-12.0.32
+- jetty-alpn-client-12.0.25
+- jetty-client-12.0.25
+- jetty-ee10-servlet-12.0.25
+- jetty-ee10-servlets-12.0.25
+- jetty-http-12.0.25
+- jetty-io-12.0.25
+- jetty-security-12.0.25
+- jetty-server-12.0.25
+- jetty-session-12.0.25
+- jetty-util-12.0.25
 - jose4j-0.9.6
 - jspecify-1.0.0
 - log4j-api-2.25.3
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index 9f6767568c0..f450fef0af4 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -66,7 +66,11 @@ versions += [
   jackson: "2.19.2",
   jacoco: "0.8.14",
   javassist: "3.30.2-GA",
-  jetty: "12.0.32",
+  // Jetty 12.0.30+ introduced SLF4J 2.x fluent API usage (e.g. 
Logger.atDebug()) in production
+  // code, which causes NoSuchMethodError at runtime since Kafka uses SLF4J 
1.7.x.
+  // 12.0.25 is the version that includes the CVE-2025-5115 fix while only 
using the
+  // SLF4J 2.x fluent API in test code, avoiding the runtime incompatibility.
+  jetty: "12.0.25",
   jersey: "3.1.10",
   jline: "3.30.4",
   jmh: "1.37",

Reply via email to