++ Vivek From: Jim Halfpenny <[email protected]> Sent: 21 March 2026 15:09 To: Ashish Verma V <[email protected]> Cc: [email protected]; Steven Schlansker <[email protected]>; [email protected]; Abhishek Kant Rattan <[email protected]>; Sahil Sharma D <[email protected]>; Apoorva Maheshwari <[email protected]> Subject: Re: Version info that supports Jetty v12.0.25
If you look at the dependancies for 4.0.2 and 4.1.2 you can see that Jetty 12.0.25 is present there. https://github.com/apache/kafka/blob/4.0.2/gradle/dependencies.gradle https://github.com/apache/kafka/blob/4.1.2/gradle/dependencies.gradle Kind regards, JIm On 20 Mar 2026, at 05:21, Ashish Verma V <[email protected]<mailto:[email protected]>> wrote: Hi Jim, Any update on this query. Thanks Ashish Verma From: Apoorva Maheshwari <[email protected]<mailto:[email protected]>> Sent: 16 March 2026 08:39 To: Jim Halfpenny <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]>; Steven Schlansker <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]>; Abhishek Kant Rattan <[email protected]<mailto:[email protected]>>; Sahil Sharma D <[email protected]<mailto:[email protected]>>; Ashish Verma V <[email protected]<mailto:[email protected]>> Subject: RE: Version info that supports Jetty v12.0.25 Hello, CVE-2025-5115 is fixed in Jetty 12.0.25. Although, latest released Kafka 4.2.0 still have dependency on Jetty 12.0.22. Kindly let us know in which kakfa version, you are planning to take Jetty 12.0.25 or later. Regards, Apoorva Maheshwari From: Jim Halfpenny <[email protected]<mailto:[email protected]>> Sent: 12 March 2026 13:05 To: Apoorva Maheshwari <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]>; Steven Schlansker <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]>; Abhishek Kant Rattan <[email protected]<mailto:[email protected]>>; Sahil Sharma D <[email protected]<mailto:[email protected]>> Subject: Re: Version info that supports Jetty v12.0.25 You don't often get email from [email protected]<mailto:[email protected]>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Hi Apoorva, I made a typo in my email, I was referring to CVE-2025-5115. The short answer is upgrade to Kafka >= 4.1.0 to get a version of Jetty that addresses this issue. Kind regards, Jim On 12 Mar 2026, at 07:17, Apoorva Maheshwari <[email protected]<mailto:[email protected]>> wrote: Hello Jim, Thanks for the quick response. But I need information about Jetty v12.0.25, in order to address Jetty CVE-2025-5115 not CVE-2025-5151. Also, if we see any compatibility concerns, with latest jetty and current Kafka will Kafka support that? Regards, Apoorva Maheshwari From: Jim Halfpenny <[email protected]<mailto:[email protected]>> Sent: 11 March 2026 15:30 To: [email protected]<mailto:[email protected]> Cc: Steven Schlansker <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]>; Abhishek Kant Rattan <[email protected]<mailto:[email protected]>>; Sahil Sharma D <[email protected]<mailto:[email protected]>>; Apoorva Maheshwari <[email protected]<mailto:[email protected]>> Subject: Re: Version info that supports Jetty v12.0.25 You don't often get email from [email protected]<mailto:[email protected]>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Hi Apoorva, I've looked through the Kafka dependencies in Github and 4.1.0 contains Jetty 12.0.22, which contains fixes to address CVE-2025-5151. https://github.com/apache/kafka/blob/4.1.0/gradle/dependencies.gradle Is this the information you need? If you are using Kafka 3.x I expect you will need to upgrade to 4.x to obtain this fix, I am guessing that jumping from Jetty 9 to 12 is too big a leap for a simple backport of this fix. Kind regards, Jim On Wed, 11 Mar 2026 at 06:54, Apoorva Maheshwari via users <[email protected]<mailto:[email protected]>> wrote: Hello, Can you please share your plan for Jetty release? Regards, Apoorva Maheshwari -----Original Message----- From: Steven Schlansker <[email protected]<mailto:[email protected]>> Sent: 26 February 2026 22:00 To: [email protected]<mailto:[email protected]> Cc: [email protected]<mailto:[email protected]>; Abhishek Kant Rattan <[email protected]<mailto:[email protected]>>; Sahil Sharma D <[email protected]<mailto:[email protected]>>; Apoorva Maheshwari <[email protected]<mailto:[email protected]>> Subject: Re: Version info that supports Jetty v12.0.25 [You don't often get email from [email protected]<mailto:[email protected]>. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] > On Feb 16, 2026, at 1:14 AM, Apoorva Maheshwari via users > <[email protected]<mailto:[email protected]>> wrote: > > Hello Team, > > Can you please confirm this pattern, that when we get any vulnerability of > jetty and fix from Jetty is available, how soon Kafka release a new version > with this Jetty? If you are urgently needing to adopt a Jetty release on your own schedule, rather than Kafka's schedule, you can always adopt new Jetty with your current Kafka version using Maven's <dependencyManagement> feature. This works for most projects, not just Kafka. Of course then you should test that the new combination works acceptably to your requirements, but it at least gives you an independent path forward without needing to pressure Kafka maintainers on new releases with dependency updates, until the normal release process delivers a fixed Kafka artifact. > > Regards, > Apoorva Maheshwari > > From: Apoorva Maheshwari > Sent: 13 February 2026 11:10 > To: > '[email protected]<mailto:[email protected]>' > <[email protected]<mailto:[email protected]>>; > '[email protected]<mailto:[email protected]>' > <[email protected]<mailto:[email protected]>> > Cc: Abhishek Kant Rattan > <[email protected]<mailto:[email protected]>>; > Sahil > Sharma D <[email protected]<mailto:[email protected]>> > Subject: RE: Version info that supports Jetty v12.0.25 > > Response awaited. > > Regards, > Apoorva Maheshwari > > From: Apoorva Maheshwari > Sent: 11 February 2026 10:30 > To: > [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]> > rg>; > [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> > Cc: Abhishek Kant Rattan > <[email protected]<mailto:[email protected]><mailto:abhishek.kant.rattan@ericsso<mailto:abhishek.kant.rattan@ericsso> > n.com<http://n.com/>>>; Sahil Sharma D > <[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>> > Subject: Version info that supports Jetty v12.0.25 > > Hello Team, > > Please confirm your plan to release a version that supports Jetty v12.0.25, > in order to address Jetty CVE-2025-5115. > > Regards, > Apoorva Maheshwari > >
