This is an automated email from the ASF dual-hosted git repository.

tballison pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tika.git


The following commit(s) were added to refs/heads/main by this push:
     new 70e4d78e90 align Jetty to 12.0.36 to match CXF 4.1.7; trim version 
comments (#2898)
70e4d78e90 is described below

commit 70e4d78e908a64fd081550e5ddbe43b552aebeeb
Author: Tim Allison <[email protected]>
AuthorDate: Wed Jun 24 06:33:46 2026 -0400

    align Jetty to 12.0.36 to match CXF 4.1.7; trim version comments (#2898)
---
 tika-parent/pom.xml | 24 +++++-------------------
 1 file changed, 5 insertions(+), 19 deletions(-)

diff --git a/tika-parent/pom.xml b/tika-parent/pom.xml
index 32c7ae4ee0..69a83747b3 100644
--- a/tika-parent/pom.xml
+++ b/tika-parent/pom.xml
@@ -342,8 +342,6 @@
     <commons.math3.version>3.6.1</commons.math3.version>
     <commons.net.version>3.12.0</commons.net.version>
     <ctakes.version>6.0.0</ctakes.version>
-    <!-- Upgraded to 4.1.7 (from 4.0.11) as part of the Jetty 12 migration 
(CVE-2026-2332).
-         CXF 4.1.x ships cxf-rt-transports-http-jetty built against Jetty 12. 
-->
     <cxf.version>4.1.7</cxf.version>
     <ddplist.version>1.29</ddplist.version>
     <dl4j.version>1.0.0-M2.1</dl4j.version>
@@ -383,14 +381,9 @@
     <jcommander.version>1.82</jcommander.version>
     <jdom2.version>2.0.6.1</jdom2.version>
     <jempbox.version>1.8.17</jempbox.version>
-    <!-- Upgraded from 11.0.26 to 12.0.35 to fix CVE-2026-2332 (HTTP/1.1 
request smuggling,
-         CVSS 9.1 Critical). Jetty 11.x is EOL and 11.0.28 was never released; 
the fix
-         is only available in the Jetty 12 line (>=12.0.33). Jetty 12.0.x 
requires Java 17,
-         the same minimum as this project. Migration guide:
-         
https://jetty.org/docs/jetty/12/programming-guide/migration/11-to-12.html
-    -->
-    <jetty.version>12.0.35</jetty.version>
-    <jetty.http2.version>12.0.35</jetty.http2.version>
+    <!-- pinned to the 12.0.x line CXF and SolrJ build against; 12.0.36 
matches CXF's jetty-ee10-servlet -->
+    <jetty.version>12.0.36</jetty.version>
+    <jetty.http2.version>12.0.36</jetty.http2.version>
     <jhighlight.version>2.0.0</jhighlight.version>
     <jna.version>5.19.1</jna.version>
     <json.simple.version>1.1.1</json.simple.version>
@@ -438,13 +431,7 @@
     <slf4j.version>2.0.18</slf4j.version>
     <sis.version>1.6</sis.version>
     <snappy.version>1.1.10.8</snappy.version>
-    <!-- Upgraded to 10.0.0 (from 9.10.1): SolrJ 9.x bundles Jetty 11 HTTP 
client APIs
-         internally (Http2SolrClient / solr-solrj-jetty), which conflict with 
Jetty 12.
-         SolrJ 10 renames Http2SolrClient -> HttpJettySolrClient (in 
solr-solrj-jetty)
-         and LBHttpSolrClient -> LBJettySolrClient; the solr-solrj-jetty 
artifact must
-         be added alongside solr-solrj wherever those classes are used.
-         NOTE: proxy and basic auth are wired via HttpJettySolrClient.Builder;
-         only basic auth is supported (non-basic schemes are rejected at 
startup). -->
+    <!-- SolrJ 10 splits the Jetty client/ZK code into solr-solrj-jetty / 
solr-solrj-zookeeper -->
     <solrj.version>10.0.0</solrj.version>
     <spring.version>7.0.8</spring.version>
     <sqlite.version>3.53.2.0</sqlite.version>
@@ -572,7 +559,6 @@
         <type>pom</type>
         <scope>import</scope>
       </dependency>
-      <!-- Jetty 12 renamed all http2 artifacts with a jetty- prefix -->
       <dependency>
         <groupId>org.eclipse.jetty.http2</groupId>
         <artifactId>jetty-http2-client-transport</artifactId>
@@ -1364,7 +1350,7 @@
         <version>3.2.0</version>
         <configuration>
           <excludeCoordinates>
-            <!-- [CVE-2025-1948] check if still present in 
${jetty.http2.version}; CVE-2026-2332 is fixed. -->
+            <!-- [CVE-2025-1948] excluded; re-check whether still present in 
${jetty.http2.version} -->
             <coordinate>
               <groupId>org.eclipse.jetty.http2</groupId>
               <artifactId>jetty-http2-common</artifactId>

Reply via email to