Hello Jim, Thanks for the quick response.
But I need information about Jetty v12.0.25, in order to address Jetty CVE-2025-5115 not CVE-2025-5151. Also, if we see any compatibility concerns, with latest jetty and current Kafka will Kafka support that? Regards, Apoorva Maheshwari From: Jim Halfpenny <[email protected]> Sent: 11 March 2026 15:30 To: [email protected] Cc: Steven Schlansker <[email protected]>; [email protected]; Abhishek Kant Rattan <[email protected]>; Sahil Sharma D <[email protected]>; Apoorva Maheshwari <[email protected]> Subject: Re: Version info that supports Jetty v12.0.25 You don't often get email from [email protected]<mailto:[email protected]>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Hi Apoorva, I've looked through the Kafka dependencies in Github and 4.1.0 contains Jetty 12.0.22, which contains fixes to address CVE-2025-5151. https://github.com/apache/kafka/blob/4.1.0/gradle/dependencies.gradle Is this the information you need? If you are using Kafka 3.x I expect you will need to upgrade to 4.x to obtain this fix, I am guessing that jumping from Jetty 9 to 12 is too big a leap for a simple backport of this fix. Kind regards, Jim On Wed, 11 Mar 2026 at 06:54, Apoorva Maheshwari via users <[email protected]<mailto:[email protected]>> wrote: Hello, Can you please share your plan for Jetty release? Regards, Apoorva Maheshwari -----Original Message----- From: Steven Schlansker <[email protected]<mailto:[email protected]>> Sent: 26 February 2026 22:00 To: [email protected]<mailto:[email protected]> Cc: [email protected]<mailto:[email protected]>; Abhishek Kant Rattan <[email protected]<mailto:[email protected]>>; Sahil Sharma D <[email protected]<mailto:[email protected]>>; Apoorva Maheshwari <[email protected]<mailto:[email protected]>> Subject: Re: Version info that supports Jetty v12.0.25 [You don't often get email from [email protected]<mailto:[email protected]>. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] > On Feb 16, 2026, at 1:14 AM, Apoorva Maheshwari via users > <[email protected]<mailto:[email protected]>> wrote: > > Hello Team, > > Can you please confirm this pattern, that when we get any vulnerability of > jetty and fix from Jetty is available, how soon Kafka release a new version > with this Jetty? If you are urgently needing to adopt a Jetty release on your own schedule, rather than Kafka's schedule, you can always adopt new Jetty with your current Kafka version using Maven's <dependencyManagement> feature. This works for most projects, not just Kafka. Of course then you should test that the new combination works acceptably to your requirements, but it at least gives you an independent path forward without needing to pressure Kafka maintainers on new releases with dependency updates, until the normal release process delivers a fixed Kafka artifact. > > Regards, > Apoorva Maheshwari > > From: Apoorva Maheshwari > Sent: 13 February 2026 11:10 > To: > '[email protected]<mailto:[email protected]>' > <[email protected]<mailto:[email protected]>>; > '[email protected]<mailto:[email protected]>' > <[email protected]<mailto:[email protected]>> > Cc: Abhishek Kant Rattan > <[email protected]<mailto:[email protected]>>; > Sahil > Sharma D <[email protected]<mailto:[email protected]>> > Subject: RE: Version info that supports Jetty v12.0.25 > > Response awaited. > > Regards, > Apoorva Maheshwari > > From: Apoorva Maheshwari > Sent: 11 February 2026 10:30 > To: > [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]> > rg>; > [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> > Cc: Abhishek Kant Rattan > <[email protected]<mailto:[email protected]><mailto:abhishek.kant.rattan@ericsso<mailto:abhishek.kant.rattan@ericsso> > n.com<http://n.com/>>>; Sahil Sharma D > <[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>> > Subject: Version info that supports Jetty v12.0.25 > > Hello Team, > > Please confirm your plan to release a version that supports Jetty v12.0.25, > in order to address Jetty CVE-2025-5115. > > Regards, > Apoorva Maheshwari > >
