Hi Apoorva,
I've looked through the Kafka dependencies in Github and 4.1.0 contains
Jetty 12.0.22, which contains fixes to address CVE-2025-5151.
https://github.com/apache/kafka/blob/4.1.0/gradle/dependencies.gradle
Is this the information you need? If you are using Kafka 3.x I expect you
will need to upgrade to 4.x to obtain this fix, I am guessing that jumping
from Jetty 9 to 12 is too big a leap for a simple backport of this fix.
Kind regards,
Jim
On Wed, 11 Mar 2026 at 06:54, Apoorva Maheshwari via users <
users@kafka.apache.org> wrote:
> Hello,
>
> Can you please share your plan for Jetty release?
>
> Regards,
> Apoorva Maheshwari
>
> -----Original Message-----
> From: Steven Schlansker <stevenschlansker@gmail.com>
> Sent: 26 February 2026 22:00
> To: users@kafka.apache.org
> Cc: users-subscribe@kafka.apache.org; Abhishek Kant Rattan <
> abhishek.kant.rattan@ericsson.com>; Sahil Sharma D <
> sahil.d.sharma@ericsson.com>; Apoorva Maheshwari <
> apoorva.maheshwari@ericsson.com>
> Subject: Re: Version info that supports Jetty v12.0.25
>
> [You don't often get email from stevenschlansker@gmail.com. Learn why
> this is important at https://aka.ms/LearnAboutSenderIdentification ]
>
> > On Feb 16, 2026, at 1:14 AM, Apoorva Maheshwari via users <
> users@kafka.apache.org> wrote:
> >
> > Hello Team,
> >
> > Can you please confirm this pattern, that when we get any vulnerability
> of jetty and fix from Jetty is available, how soon Kafka release a new
> version with this Jetty?
>
> If you are urgently needing to adopt a Jetty release on your own schedule,
> rather than Kafka's schedule, you can always adopt new Jetty with your
> current Kafka version using Maven's <dependencyManagement> feature. This
> works for most projects, not just Kafka.
>
> Of course then you should test that the new combination works acceptably
> to your requirements, but it at least gives you an independent path forward
> without needing to pressure Kafka maintainers on new releases with
> dependency updates, until the normal release process delivers a fixed Kafka
> artifact.
>
> >
> > Regards,
> > Apoorva Maheshwari
> >
> > From: Apoorva Maheshwari
> > Sent: 13 February 2026 11:10
> > To: 'users-subscribe@kafka.apache.org'
> > <users-subscribe@kafka.apache.org>; 'users@kafka.apache.org'
> > <users@kafka.apache.org>
> > Cc: Abhishek Kant Rattan <abhishek.kant.rattan@ericsson.com>; Sahil
> > Sharma D <sahil.d.sharma@ericsson.com>
> > Subject: RE: Version info that supports Jetty v12.0.25
> >
> > Response awaited.
> >
> > Regards,
> > Apoorva Maheshwari
> >
> > From: Apoorva Maheshwari
> > Sent: 11 February 2026 10:30
> > To:
> > users-subscribe@kafka.apache.org<mailto:users-subscribe@kafka.apache.o
> > rg>; users@kafka.apache.org<mailto:users@kafka.apache.org>
> > Cc: Abhishek Kant Rattan
> > <abhishek.kant.rattan@ericsson.com<mailto:abhishek.kant.rattan@ericsso
> > n.com>>; Sahil Sharma D
> > <sahil.d.sharma@ericsson.com<mailto:sahil.d.sharma@ericsson.com>>
> > Subject: Version info that supports Jetty v12.0.25
> >
> > Hello Team,
> >
> > Please confirm your plan to release a version that supports Jetty
> v12.0.25, in order to address Jetty CVE-2025-5115.
> >
> > Regards,
> > Apoorva Maheshwari
> >
> >
>
>
I've looked through the Kafka dependencies in Github and 4.1.0 contains
Jetty 12.0.22, which contains fixes to address CVE-2025-5151.
https://github.com/apache/kafka/blob/4.1.0/gradle/dependencies.gradle
Is this the information you need? If you are using Kafka 3.x I expect you
will need to upgrade to 4.x to obtain this fix, I am guessing that jumping
from Jetty 9 to 12 is too big a leap for a simple backport of this fix.
Kind regards,
Jim
On Wed, 11 Mar 2026 at 06:54, Apoorva Maheshwari via users <
users@kafka.apache.org> wrote:
> Hello,
>
> Can you please share your plan for Jetty release?
>
> Regards,
> Apoorva Maheshwari
>
> -----Original Message-----
> From: Steven Schlansker <stevenschlansker@gmail.com>
> Sent: 26 February 2026 22:00
> To: users@kafka.apache.org
> Cc: users-subscribe@kafka.apache.org; Abhishek Kant Rattan <
> abhishek.kant.rattan@ericsson.com>; Sahil Sharma D <
> sahil.d.sharma@ericsson.com>; Apoorva Maheshwari <
> apoorva.maheshwari@ericsson.com>
> Subject: Re: Version info that supports Jetty v12.0.25
>
> [You don't often get email from stevenschlansker@gmail.com. Learn why
> this is important at https://aka.ms/LearnAboutSenderIdentification ]
>
> > On Feb 16, 2026, at 1:14 AM, Apoorva Maheshwari via users <
> users@kafka.apache.org> wrote:
> >
> > Hello Team,
> >
> > Can you please confirm this pattern, that when we get any vulnerability
> of jetty and fix from Jetty is available, how soon Kafka release a new
> version with this Jetty?
>
> If you are urgently needing to adopt a Jetty release on your own schedule,
> rather than Kafka's schedule, you can always adopt new Jetty with your
> current Kafka version using Maven's <dependencyManagement> feature. This
> works for most projects, not just Kafka.
>
> Of course then you should test that the new combination works acceptably
> to your requirements, but it at least gives you an independent path forward
> without needing to pressure Kafka maintainers on new releases with
> dependency updates, until the normal release process delivers a fixed Kafka
> artifact.
>
> >
> > Regards,
> > Apoorva Maheshwari
> >
> > From: Apoorva Maheshwari
> > Sent: 13 February 2026 11:10
> > To: 'users-subscribe@kafka.apache.org'
> > <users-subscribe@kafka.apache.org>; 'users@kafka.apache.org'
> > <users@kafka.apache.org>
> > Cc: Abhishek Kant Rattan <abhishek.kant.rattan@ericsson.com>; Sahil
> > Sharma D <sahil.d.sharma@ericsson.com>
> > Subject: RE: Version info that supports Jetty v12.0.25
> >
> > Response awaited.
> >
> > Regards,
> > Apoorva Maheshwari
> >
> > From: Apoorva Maheshwari
> > Sent: 11 February 2026 10:30
> > To:
> > users-subscribe@kafka.apache.org<mailto:users-subscribe@kafka.apache.o
> > rg>; users@kafka.apache.org<mailto:users@kafka.apache.org>
> > Cc: Abhishek Kant Rattan
> > <abhishek.kant.rattan@ericsson.com<mailto:abhishek.kant.rattan@ericsso
> > n.com>>; Sahil Sharma D
> > <sahil.d.sharma@ericsson.com<mailto:sahil.d.sharma@ericsson.com>>
> > Subject: Version info that supports Jetty v12.0.25
> >
> > Hello Team,
> >
> > Please confirm your plan to release a version that supports Jetty
> v12.0.25, in order to address Jetty CVE-2025-5115.
> >
> > Regards,
> > Apoorva Maheshwari
> >
> >
>
>
Comments
Post a Comment