Skip to content

chore(deps): Bump jetty from 12.0.29 to 12.0.32#27294

Draft
ShahimSharafudeen wants to merge 1 commit intoprestodb:masterfrom
ShahimSharafudeen:jetty_io_cve_fix
Draft

chore(deps): Bump jetty from 12.0.29 to 12.0.32#27294
ShahimSharafudeen wants to merge 1 commit intoprestodb:masterfrom
ShahimSharafudeen:jetty_io_cve_fix

Conversation

@ShahimSharafudeen
Copy link
Copy Markdown
Contributor

@ShahimSharafudeen ShahimSharafudeen commented Mar 9, 2026
edited
Loading

Description

Upgrade jetty version from 12.0.29 to 12.0.32 to address CVE-2025-11143 and CVE-2026-1605.

[Draft] : This is a draft PR and it has a dependency on the Airlift change: prestodb/airlift#146.

Once the updated Airlift version is released(0.229), we will need to update this PR to use the Airlift version that includes the Jetty upgrade and remove the additionally added jetty-ee10-servlet dependency from this PR. This dependency was temporarily added in the absence of the Airlift change.

This PR depends on an OSS PR that needs to be merged first, since it uses Airlift 0.228 with additional code changes on the Presto side. : #27128

Motivation and Context

Impact

Test Plan

Contributor checklist

  • Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.
  • If adding new dependencies, verified they have an OpenSSF Scorecard score of 5.0 or higher (or obtained explicit TSC approval for lower scores).

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Changes
* Upgrade jetty dependency from 0.27 to version 2.0.2 to address `CVE-2025-11143 <https://github.com/advisories/GHSA-wjpw-4j6x-6rwh>` and `CVE-2026-1605 <https://github.com/advisories/GHSA-xxh7-fcf3-rj7f>`_

@prestodb-ci prestodb-ci added the from:IBM PR from IBM label Mar 9, 2026
@ShahimSharafudeen ShahimSharafudeen changed the title chore(deps): Bump jetty from 12.0.29 t0 12.0.32 chore(deps): Bump jetty from 12.0.29 to 12.0.32 Mar 9, 2026
@prestodb-ci
Copy link
Copy Markdown
Contributor

prestodb-ci commented Mar 13, 2026

@ShahimSharafudeen imported this issue as lakehouse/presto #27294

@ShahimSharafudeen ShahimSharafudeen added the ForwardFit Items from IBM Forward Fit label Mar 24, 2026
@prestodb-ci
Copy link
Copy Markdown
Contributor

prestodb-ci commented Mar 26, 2026

Assigning this issue to @faizdani because you are the default assignee for issue follow-up scheme ForwardFit. Feel free to re-route accordingly.

@prestodb-ci
Copy link
Copy Markdown
Contributor

prestodb-ci commented Mar 26, 2026

@faizdani
Can you please provide an update on this issue? Thank you!

@prestodb-ci prestodb-ci added follow-up-1 1st time follow-up (alchemy generated) need-follow-up Need any type of follow-up (alchemy generated) labels Mar 26, 2026
@ShahimSharafudeen ShahimSharafudeen mentioned this pull request Apr 2, 2026
Draft
7 tasks
@ShahimSharafudeen
Copy link
Copy Markdown
Contributor Author

ShahimSharafudeen commented Apr 2, 2026

This PR depends on #27128. I will be able to open and merge the current PR only after the referenced PR is merged, so I am currently waiting for that merge to complete.

@prestodb-ci
Copy link
Copy Markdown
Contributor

prestodb-ci commented Apr 2, 2026

Assigning this issue to @faizdani because you are the default assignee for issue follow-up scheme ForwardFit. Feel free to re-route accordingly.

@prestodb-ci
Copy link
Copy Markdown
Contributor

prestodb-ci commented Apr 2, 2026

@faizdani
Can you please provide an update on this issue? Thank you!

@prestodb-ci prestodb-ci added follow-up-2 2nd time follow-up (alchemy generated) and removed follow-up-1 1st time follow-up (alchemy generated) labels Apr 2, 2026
@prestodb-ci
Copy link
Copy Markdown
Contributor

prestodb-ci commented Apr 9, 2026

Assigning this issue to @faizdani because you are the default assignee for issue follow-up scheme ForwardFit. Feel free to re-route accordingly.

@prestodb-ci
Copy link
Copy Markdown
Contributor

prestodb-ci commented Apr 9, 2026

@faizdani
Can you please provide an update on this issue? Thank you!

@prestodb-ci prestodb-ci added follow-up-3 3rd time follow-up (alchemy generated) and removed follow-up-2 2nd time follow-up (alchemy generated) labels Apr 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

follow-up-3 3rd time follow-up (alchemy generated) ForwardFit Items from IBM Forward Fit from:IBM PR from IBM need-follow-up Need any type of follow-up (alchemy generated)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ShahimSharafudeen @prestodb-ci