Conversation
Updated Jetty version to 12.0.32 to fix CVE-2026-1605
Updated Jetty dependencies to version 12.0.32.
github-actions
bot
added
triage
gradle/dependencies.gradle
Outdated
| // 12.0.25 is the version that includes the CVE-2025-5115 fix while only using the | ||
| // SLF4J 2.x fluent API in test code, avoiding the runtime incompatibility. | ||
| jetty: "12.0.25", | ||
| jetty: "12.0.32", |
There was a problem hiding this comment.
See the comment above. We had to downgrade from 12.0.32 in #21559 because of an incompatibility with slf4j 2.X
There was a problem hiding this comment.
Thanks for the clarification.
Interestingly, my Connect Worker, in which I replaced version 12.0.25 with 12.0.33, has been running without problems (including REST API) since Friday and has already transferred two terabytes of changes.
There was a problem hiding this comment.
There are 707 source files dependent on org.slf4j (1210 entries). They depend on
org.slf4j.Logger;
org.slf4j.LoggerFactory;
org.slf4j.MDC;
org.slf4j.Marker;
org.slf4j.MarkerFactory;
org.slf4j.event.Level;
org.slf4j.helpers.FormattingTuple;
org.slf4j.helpers.MessageFormatter;
org.slf4j.spi.LocationAwareLogger;
test classes also contains
assertFalse(PluginUtils.shouldLoadInIsolation("org.slf4j."));
assertFalse(PluginUtils.shouldLoadInIsolation("org.slf4j.LoggerFactory"));
I think upgrading slf4j to version 2.0.17 for the entire Kafka bundle is possible.
Working on this.
There was a problem hiding this comment.
The main cause of unit test failures is org.apache.kafka.common.utils.LogCaptureAppender, which behaves differently when using slf4j versions 1.7.36 and 2.0.17
Looking into it.
There was a problem hiding this comment.
If you want to look into the slf4j dependency, I'd suggest you open a separate issue/PR. Note that other people are looking into it already #21452 (comment), so try syncing with them.
2 participants
Fix jetty-server vulnerability CVE-2026-1605