Kafka

Version 12.0.25 will be included in the following Kafka releases: 4.3.0, 4.2.1, 4.0.2, 4.1.2, 3.9.3 see https://issues.apache.org/jira/browse/KAFKA-20168 On 2026/03/16 03:08:35 Apoorva Maheshwari via users wrote: > Hello, > > CVE-2025-5115 is fixed in Jetty 12.0.25. > Although, latest released Kafka 4.2.0 still have dependency on Jetty 12.0.22. > Kindly let us know in which kakfa version, you are planning to take Jetty 12.0.25 or later. > > Regards, > Apoorva Maheshwari > > From: Jim Halfpenny <jim.halfpenny@stackable.tech> > Sent: 12 March 2026 13:05 > To: Apoorva Maheshwari < apoorva.maheshwari@ericsson.com > > Cc: users@kafka.apache.org ; Steven Schlansker < stevenschlansker@gmail.com >; users-subscribe@kafka.apache.org ; Abhishek Kant Rattan < abhishek.kant.rattan@ericsson.com >; Sahil Sharma D < sahil.d.sharma@ericsson.com > > Subject: Re: Version info that supports Jetty v12.0.25...

Hello, CVE-2025-5115 is fixed in Jetty 12.0.25. Although, latest released Kafka 4.2.0 still have dependency on Jetty 12.0.22. Kindly let us know in which kakfa version, you are planning to take Jetty 12.0.25 or later. Regards, Apoorva Maheshwari From: Jim Halfpenny <jim.halfpenny@stackable.tech> Sent: 12 March 2026 13:05 To: Apoorva Maheshwari < apoorva.maheshwari@ericsson.com > Cc: users@kafka.apache.org ; Steven Schlansker < stevenschlansker@gmail.com >; users-subscribe@kafka.apache.org ; Abhishek Kant Rattan < abhishek.kant.rattan@ericsson.com >; Sahil Sharma D < sahil.d.sharma@ericsson.com > Subject: Re: Version info that supports Jetty v12.0.25 You don't often get email from jim.halfpenny@stackable.tech<mailto: jim.halfpenny@stackable.tech >. Learn why this is important< https://aka.ms/LearnAboutSenderIdentification > Hi Apoorva, I made a typo in my email, I was referring to CVE-2025-5115. The short answer is upgra...

Hi all, We are facing a situation where Cruise Control's memory usage keeps increasing over time, even though the actual cluster load has not changed. Our Kafka cluster is relatively small (around 230 partitions across 3 brokers), yet Cruise Control appears to consume a large amount of heap during proposal generation. While investigating, we noticed that our Cruise Control setup includes 17 goals (both hard and soft). From what we understand, simulating and evaluating all of these goals, especially the soft balancing goals, can introduce significant memory and CPU overhead. Before making any changes, I wanted to check with the community: Question: Do you commonly remove or disable some of Cruise Control's soft goals in production to reduce the Analyzer's computational load? If yes, which goals are generally considered reasonable or safe to deactivate without causing notable negative impact on cluster balance or operational behavior? Any real‑world experience or recom...

Hi Apoorva, I made a typo in my email, I was referring to CVE-2025-5115. The short answer is upgrade to Kafka >= 4.1.0 to get a version of Jetty that addresses this issue. Kind regards, Jim > On 12 Mar 2026, at 07:17, Apoorva Maheshwari < apoorva.maheshwari@ericsson.com > wrote: > > Hello Jim, > > Thanks for the quick response. > > But I need information about Jetty v12.0.25, in order to address Jetty CVE-2025-5115 not CVE-2025-5151. > > > Also, if we see any compatibility concerns, with latest jetty and current Kafka will Kafka support that? > > Regards, > Apoorva Maheshwari > > From: Jim Halfpenny <jim.halfpenny@stackable.tech <mailto: jim.halfpenny@stackable.tech >> > Sent: 11 March 2026 15:30 > To: users@kafka.apache.org <mailto: users@kafka.apache.org > > Cc: Steven Schlansker < stevenschlansker@gmail.com <mailto: stevenschlansker@gmail.com >>; users...

Hello Jim, Thanks for the quick response. But I need information about Jetty v12.0.25, in order to address Jetty CVE-2025-5115 not CVE-2025-5151. Also, if we see any compatibility concerns, with latest jetty and current Kafka will Kafka support that? Regards, Apoorva Maheshwari From: Jim Halfpenny <jim.halfpenny@stackable.tech> Sent: 11 March 2026 15:30 To: users@kafka.apache.org Cc: Steven Schlansker < stevenschlansker@gmail.com >; users-subscribe@kafka.apache.org ; Abhishek Kant Rattan < abhishek.kant.rattan@ericsson.com >; Sahil Sharma D < sahil.d.sharma@ericsson.com >; Apoorva Maheshwari < apoorva.maheshwari@ericsson.com > Subject: Re: Version info that supports Jetty v12.0.25 You don't often get email from jim.halfpenny@stackable.tech<mailto: jim.halfpenny@stackable.tech >. Learn why this is important< https://aka.ms/LearnAboutSenderIdentification > Hi Apoorva, I've looked through the Kafka dependencies ...

Hi Apoorva, I've looked through the Kafka dependencies in Github and 4.1.0 contains Jetty 12.0.22, which contains fixes to address CVE-2025-5151. https://github.com/apache/kafka/blob/4.1.0/gradle/dependencies.gradle Is this the information you need? If you are using Kafka 3.x I expect you will need to upgrade to 4.x to obtain this fix, I am guessing that jumping from Jetty 9 to 12 is too big a leap for a simple backport of this fix. Kind regards, Jim On Wed, 11 Mar 2026 at 06:54, Apoorva Maheshwari via users < users@kafka.apache.org > wrote: > Hello, > > Can you please share your plan for Jetty release? > > Regards, > Apoorva Maheshwari > > -----Original Message----- > From: Steven Schlansker < stevenschlansker@gmail.com > > Sent: 26 February 2026 22:00 > To: users@kafka.apache.org > Cc: users-subscribe@kafka.apache.org ; Abhishek Kant Rattan < > abhishek.kant.rattan@ericsson.com >; Sahi...

Hello, Can you please share your plan for Jetty release? Regards, Apoorva Maheshwari -----Original Message----- From: Steven Schlansker < stevenschlansker@gmail.com > Sent: 26 February 2026 22:00 To: users@kafka.apache.org Cc: users-subscribe@kafka.apache.org ; Abhishek Kant Rattan < abhishek.kant.rattan@ericsson.com >; Sahil Sharma D < sahil.d.sharma@ericsson.com >; Apoorva Maheshwari < apoorva.maheshwari@ericsson.com > Subject: Re: Version info that supports Jetty v12.0.25 [You don't often get email from stevenschlansker@gmail.com . Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] > On Feb 16, 2026, at 1:14 AM, Apoorva Maheshwari via users < users@kafka.apache.org > wrote: > > Hello Team, > > Can you please confirm this pattern, that when we get any vulnerability of jetty and fix from Jetty is available, how soon Kafka release a new version with this Jetty? If you are urgentl...