[PR] Upgrade Jetty to 12.0.32 and Netty to 4.1.129.Final to fix CVE-2025-5115, CVE-2026-1605, and CVE-2025-67735 [james-project]

via GitHub Fri, 10 Apr 2026 17:44:39 -0700


lfurman opened a new pull request, #3005:
URL: https://github.com/apache/james-project/pull/3005


   ## Motivation
   
   This PR upgrades Jetty and Netty to fix HIGH and MEDIUM severity CVEs
   found in transitive dependencies.
   
   ## CVEs Fixed
   
   | CVE            | Severity | Library                  | Before         | 
After          |
   
|----------------|----------|--------------------------|----------------|----------------|
   | CVE-2025-5115  | HIGH     | jetty-http2-common       | 12.0.20        | 
12.0.32        |
   | CVE-2026-1605  | HIGH     | jetty-server             | 12.0.20        | 
12.0.32        |
   | CVE-2025-67735 | MEDIUM   | netty-codec-http         | 4.1.126.Final  | 
4.1.129.Final  |
   | CVE-2025-11226 | MEDIUM   | logback-core/classic     | already 1.5.19 | no 
change      |
   | CVE-2025-7962  | MEDIUM   | angus:smtp               | not in tree    | no 
change      |
   
   ## Changes
   
   ### `pom.xml` (root)
   - Bump `netty.version` from `4.1.126.Final` to `4.1.129.Final`
   - Add `jetty.version` property set to `12.0.32`
   - Add Jetty artifacts to `<dependencyManagement>` to force transitive
     upgrade:
     - `jetty-server`, `jetty-http`, `jetty-io`, `jetty-util`
     - `jetty-http2-common`, `jetty-http2-server`
     - `jetty-websocket-jetty-server`
     - `jetty-ee10-websocket-jetty-server`
   
   ### `examples/pom.xml`
   - Add same Jetty and Netty overrides independently in a new
     `<dependencyManagement>` block.
   - Required because `examples/pom.xml` inherits from `org.apache:apache:23`
     and not from `james-project` root,  so root fixes are invisible here.
   
   ## Verification
   
   ```bash
   mvn dependency:tree > /tmp/final-tree.txt 2>&1
   
   echo "=== JETTY CVE-2025-5115 jetty-http2-common old 12.0.20 (should be 
empty) ===" && grep -q ":jetty-http2-common:jar:12.0.20" /tmp/final-tree.txt && 
echo "❌ Found!" || echo "✅ None found"
   echo "=== JETTY CVE-2025-5115 jetty-http2-common new 12.0.32 (should have 
hits) ===" && grep -q ":jetty-http2-common:jar:12.0.32" /tmp/final-tree.txt && 
echo "✅ Found!" || echo "❌ Not found!"
   
   echo "=== JETTY CVE-2026-1605 jetty-server old 12.0.20 (should be empty) 
===" && grep -q ":jetty-server:jar:12.0.20" /tmp/final-tree.txt && echo "❌ 
Found!" || echo "✅ None found"
   echo "=== JETTY CVE-2026-1605 jetty-server new 12.0.32 (should have hits) 
===" && grep -q ":jetty-server:jar:12.0.32" /tmp/final-tree.txt && echo "✅ 
Found!" || echo "❌ Not found!"
   
   echo "=== JETTY jetty-websocket-jetty-server old 12.0.20 (should be empty) 
===" && grep -q ":jetty-websocket-jetty-server:jar:12.0.20" /tmp/final-tree.txt 
&& echo "❌ Found!" || echo "✅ None found"
   echo "=== JETTY jetty-websocket-jetty-server new 12.0.32 (should have hits) 
===" && grep -q ":jetty-websocket-jetty-server:jar:12.0.32" /tmp/final-tree.txt 
&& echo "✅ Found!" || echo "❌ Not found!"
   
   echo "=== JETTY jetty-ee10-websocket-jetty-server old 12.0.20 (should be 
empty) ===" && grep -q ":jetty-ee10-websocket-jetty-server:jar:12.0.20" 
/tmp/final-tree.txt && echo "❌ Found!" || echo "✅ None found"
   echo "=== JETTY jetty-ee10-websocket-jetty-server new 12.0.32 (should have 
hits) ===" && grep -q ":jetty-ee10-websocket-jetty-server:jar:12.0.32" 
/tmp/final-tree.txt && echo "✅ Found!" || echo "❌ Not found!"
   
   echo "=== NETTY CVE-2025-67735 netty-codec-http old 4.1.126 (should be 
empty) ===" && grep -q "netty-codec-http:jar:4.1.126" /tmp/final-tree.txt && 
echo "❌ Found!" || echo "✅ None found"
   echo "=== NETTY CVE-2025-67735 netty-codec-http new 4.1.129 (should have 
hits) ===" && grep -q "netty-codec-http:jar:4.1.129" /tmp/final-tree.txt && 
echo "✅ Found!" || echo "❌ Not found!"
   
   echo "=== LOGBACK CVE-2025-11226 old 1.5.18 (should be empty) ===" && grep 
-q "logback.*jar:1.5.18" /tmp/final-tree.txt && echo "❌ Found!" || echo "✅ None 
found"
   echo "=== LOGBACK CVE-2025-11226 new 1.5.19 (should have hits) ===" && grep 
-q "logback.*jar:1.5.19" /tmp/final-tree.txt && echo "✅ Found!" || echo "❌ Not 
found!"
   
   echo "=== ANGUS SMTP CVE-2025-7962 (should be empty — not in tree) ===" && 
grep -q "angus.*smtp" /tmp/final-tree.txt && echo "❌ Found!" || echo "✅ Not 
present in tree — expected"
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[PR] Upgrade Jetty to 12.0.32 and Netty to 4.1.129.Final to fix CVE-2025-5115, CVE-2026-1605, and CVE-2025-67735 [james-project]

Reply via email to