Upgrade Jetty to 12.0.32 and Netty to 4.1.129.Final to fix CVE-2025-5115, CVE-2026-1605, and CVE-2025-67735

[lfurman]

Motivation

This PR upgrades Jetty and Netty to fix HIGH and MEDIUM severity CVEs
found in transitive dependencies.

CVEs Fixed

CVE	Severity	Library	Before	After
CVE-2025-5115	HIGH	jetty-http2-common	12.0.20	12.0.32
CVE-2026-1605	HIGH	jetty-server	12.0.20	12.0.32
CVE-2025-67735	MEDIUM	netty-codec-http	4.1.126.Final	4.1.129.Final
CVE-2025-11226	MEDIUM	logback-core/classic	already 1.5.19	no change
CVE-2025-7962	MEDIUM	angus:smtp	not in tree	no change

Changes

pom.xml (root)

• Bump netty.version from 4.1.126.Final to 4.1.129.Final
• Add jetty.version property set to 12.0.32
• Add Jetty artifacts to <dependencyManagement> to force transitive
  upgrade:
  • jetty-server, jetty-http, jetty-io, jetty-util
  • jetty-http2-common, jetty-http2-server
  • jetty-websocket-jetty-server
  • jetty-ee10-websocket-jetty-server

examples/pom.xml

• Add same Jetty and Netty overrides independently in a new
  <dependencyManagement> block.
• Required because examples/pom.xml inherits from org.apache:apache:23
  and not from james-project root, so root fixes are invisible here.

Verification

mvn dependency:tree > /tmp/final-tree.txt 2>&1

echo "=== JETTY CVE-2025-5115 jetty-http2-common old 12.0.20 (should be empty) ===" && grep -q ":jetty-http2-common:jar:12.0.20" /tmp/final-tree.txt && echo "❌ Found!" || echo "✅ None found"
echo "=== JETTY CVE-2025-5115 jetty-http2-common new 12.0.32 (should have hits) ===" && grep -q ":jetty-http2-common:jar:12.0.32" /tmp/final-tree.txt && echo "✅ Found!" || echo "❌ Not found!"

echo "=== JETTY CVE-2026-1605 jetty-server old 12.0.20 (should be empty) ===" && grep -q ":jetty-server:jar:12.0.20" /tmp/final-tree.txt && echo "❌ Found!" || echo "✅ None found"
echo "=== JETTY CVE-2026-1605 jetty-server new 12.0.32 (should have hits) ===" && grep -q ":jetty-server:jar:12.0.32" /tmp/final-tree.txt && echo "✅ Found!" || echo "❌ Not found!"

echo "=== JETTY jetty-websocket-jetty-server old 12.0.20 (should be empty) ===" && grep -q ":jetty-websocket-jetty-server:jar:12.0.20" /tmp/final-tree.txt && echo "❌ Found!" || echo "✅ None found"
echo "=== JETTY jetty-websocket-jetty-server new 12.0.32 (should have hits) ===" && grep -q ":jetty-websocket-jetty-server:jar:12.0.32" /tmp/final-tree.txt && echo "✅ Found!" || echo "❌ Not found!"

echo "=== JETTY jetty-ee10-websocket-jetty-server old 12.0.20 (should be empty) ===" && grep -q ":jetty-ee10-websocket-jetty-server:jar:12.0.20" /tmp/final-tree.txt && echo "❌ Found!" || echo "✅ None found"
echo "=== JETTY jetty-ee10-websocket-jetty-server new 12.0.32 (should have hits) ===" && grep -q ":jetty-ee10-websocket-jetty-server:jar:12.0.32" /tmp/final-tree.txt && echo "✅ Found!" || echo "❌ Not found!"

echo "=== NETTY CVE-2025-67735 netty-codec-http old 4.1.126 (should be empty) ===" && grep -q "netty-codec-http:jar:4.1.126" /tmp/final-tree.txt && echo "❌ Found!" || echo "✅ None found"
echo "=== NETTY CVE-2025-67735 netty-codec-http new 4.1.129 (should have hits) ===" && grep -q "netty-codec-http:jar:4.1.129" /tmp/final-tree.txt && echo "✅ Found!" || echo "❌ Not found!"

echo "=== LOGBACK CVE-2025-11226 old 1.5.18 (should be empty) ===" && grep -q "logback.*jar:1.5.18" /tmp/final-tree.txt && echo "❌ Found!" || echo "✅ None found"
echo "=== LOGBACK CVE-2025-11226 new 1.5.19 (should have hits) ===" && grep -q "logback.*jar:1.5.19" /tmp/final-tree.txt && echo "✅ Found!" || echo "❌ Not found!"

echo "=== ANGUS SMTP CVE-2025-7962 (should be empty — not in tree) ===" && grep -q "angus.*smtp" /tmp/final-tree.txt && echo "❌ Found!" || echo "✅ Not present in tree — expected"

Update (following reviewer feedback)

• Reverted Netty version bump. This will be addressed in a separate PR pending the upgrade of reactor-netty, S3 driver and Cassandra driver libraries.
• Reverted all individual Jetty dependencyManagement entries.
• Reverted all examples/pom.xml changes.
• Upgraded spark-core 3.0.2 → 3.0.4 which naturally pulls in Jetty 12.1.7 as a transitive dependency.

[chibenwa]

Please drop the Netty version from here: this is a sensible topic as we need alignement with

• s3 driver
• cassandra driver
• reactor-netty
• We can not just flip the netty jar alone without risking some subtle bugs and try our best to align

We likely shall wait a few days that reactor-netty pushes a 4.2.17 versions that align and pick a compatible version of the S3 driver too, it releases quite frequently. We can likely force the dependency for Cassandra - we already do it.

[lfurman]

Looking at the netty libraries in maven:

https://mvnrepository.com/artifact/io.netty/netty-all

• 4.2.12 is the latest version for 4.2 release

For reactor-netty specifically:

https://mvnrepository.com/artifact/io.projectreactor.netty/reactor-netty

The latest version is 1.3.4.

Could you please clarify where the source for reactor-netty is?

[chibenwa]

Are we sure it do not break spark java ?

[chibenwa]

I think we shall upgrade https://mvnrepository.com/artifact/org.zoomba-lang/spark-core/3.0.4 rather than forcing the version of the jetty transitive dependency.

[lfurman]

Thank you for your comment. Yes, I will test the upgrade to spark-core 3.04 locally and then will only include those changes in the current PR. I'll also create a different PR for the netty upgrade of S3 driver and cassandra once the refactor version becomes available.

[chibenwa]

Thanks a lot!

The netty upgrade is likely tricky as reactor-netty seems to adopt netty 4.2.x while the rest of our dependencies actually relies on Netty 4.1.x. This could make the upgrade more complex, potentially requiring approaches like shading (although that comes with its own drawbacks).

The spark-core upgrade is however likely easy and could be done straight away...

:-(

[chibenwa]

Thanks for raising the topic.

I believe that we shall have 2 PRs, one for Jetty where we rather bump the spark core dependency, one for Netty where we do a coordinated upgrade of the dependencies that uses netty.

Would this make sense to you?

[Arsnael]

I don't think those additions are necessary in examples/pom.xml

[lfurman]

Thank you for the comment, sounds good. I'll delete and retest the build and check the dependency tree again.

[Arsnael]

No problem. Thank you for trying though, as @chibenwa said, netty upgrades are always tricky. We are happy to give you support on this :)

[lfurman]

Thank you for the guidance! I have updated the PR with the following changes:

• Reverted the Netty version bump. This will be addressed in a separate PR after refactory-netty library is upgraded along with S3 driver and Cassandra driver.
• Reverted all individual Jetty dependencyManagement entries.
• Reverted all examples/pom.xml changes.
• Upgraded spark-core from 3.0.2 to 3.0.4 which naturally pulls in Jetty 12.1.7 as a transitive dependency.

[chibenwa]

For the jetty ones I believe #3013 to be enough.

[lfurman]

Since this #3013 is merged, is the current PR also good to go as well?

[chibenwa]

I do not really understand the question @lfurman

I think we can address the Netty problem:

• Bump reactor BOM to https://mvnrepository.com/artifact/io.projectreactor/reactor-bom/2024.0.17/dependencies which ships reactor netty depending on 4.1.132.FINAL - released yesterday this is what makes this overall move viable - thanks reactor community ;-)
• Align our Netty version accordingly on 4.1.132.FINAL for internal dependencies
• Align S3 driver cf server/blob/blob-s3/pom.xml https://mvnrepository.com/artifact/software.amazon.awssdk/s3/2.42.34/dependencies most notably is tested with Netty 4.1.132.FINAL and seems safe to use.

We would then remain...

• Cassandra driver which isn't alligned today anyway
• Letuce driver for redis - this is more of a problem! Lettuce ships Netty 4.2.x from 7.x onward and latest release aligned on Netty 4.1.x is lettuce 6.8.2 CF but only ships Netti 4.1.125.FINAL. I bet let's depend on https://mvnrepository.com/artifact/io.lettuce/lettuce-core/6.8.2.RELEASE used with Jars from 4.1.132.FINAL and pray!

Validation: signle version of Netty in server/apps/distributed-app/target/*.lib when we build server/apps/distributed-app

@lfurman would you be willing to try to piece this together?

Cheers,

Benoit TELLIER

[lfurman]

I do not really understand the question @lfurman

I think we can address the Netty problem:

• Bump reactor BOM to https://mvnrepository.com/artifact/io.projectreactor/reactor-bom/2024.0.17/dependencies which ships reactor netty depending on 4.1.132.FINAL - released yesterday this is what makes this overall move viable - thanks reactor community ;-)
• Align our Netty version accordingly on 4.1.132.FINAL for internal dependencies
• Align S3 driver cf server/blob/blob-s3/pom.xml https://mvnrepository.com/artifact/software.amazon.awssdk/s3/2.42.34/dependencies most notably is tested with Netty 4.1.132.FINAL and seems safe to use.

We would then remain...

• Cassandra driver which isn't alligned today anyway
• Letuce driver for redis - this is more of a problem! Lettuce ships Netty 4.2.x from 7.x onward and latest release aligned on Netty 4.1.x is lettuce 6.8.2 CF but only ships Netti 4.1.125.FINAL. I bet let's depend on https://mvnrepository.com/artifact/io.lettuce/lettuce-core/6.8.2.RELEASE used with Jars from 4.1.132.FINAL and pray!

Validation: signle version of Netty in server/apps/distributed-app/target/*.lib when we build server/apps/distributed-app

@lfurman would you be willing to try to piece this together?

Cheers,

Benoit TELLIER

Thank you @chibenwa,

Would you prefer if I make the netty changes in another PR or this current PR? As of now, this PR includes spark-core upgrade only.

[chibenwa]

Yes another pr is likely better.

Have a good weekend

[lfurman]

Thank you! I will create a new PR for netty upgrade.

How about this PR. - is it ok to leave it as is with spark-core upgrade only? Is it good to be approved or more changes are needed?

[chibenwa]

IMO we shall close it once we come up with a Netty upgrade PR ;-)

[lfurman]

Sounds great - will create a new PR now for netty upgrade :)