Skip to content

Upgrading Netty, Jetty and Spring 6 #6009

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: 3.1
Choose a base branch
from
Open

Upgrading Netty, Jetty and Spring 6 #6009

wants to merge 2 commits into from
+9 −5

Conversation

shub-est
Copy link

@shub-est shub-est commented Oct 7, 2025

Why

To remove the CVEs as outlined below:

Netty

CVE-2025-55163
CVE-2025-58056
CVE-2025-58057

Jetty
CVE-2025-5115

Spring 6
CVE-2024-38820
CVE-2025-22233
CVE-2025-41234
CVE-2025-41249

What

Upgrade the dependency versions

Netty - 4.1.122.Final -> 4.1.125.Final
Jetty - 12.0.22 -> 12.0.27
Jetty 11 - 11.0.25 -> 11.0.26
Spring 6 - 6.0.23 -> 6.2.11

Evidence
trivy_output.json

@shub-est
Upgrading Netty: 4.1.122.Final to 4.1.125.Final, Jetty from 12.0.22 t…
439e512 
…o 12.0.27, Jetty11: 11.0.25 to 11.0.26 and Spring from 6.0.23 to 6.2.11 to remediate CVE-2024-38820, CVE-2025-5115, CVE-2025-22233, CVE-2025-41234, CVE-2025-41249, CVE-2025-55163, CVE-2025-58056 and CVE-2025-58057

Signed-off-by: Shubham Kalloli <shubham.kalloli@est.tech>
@senivam
Copy link
Contributor

senivam commented Oct 8, 2025
edited
Loading

How does it differ from #6006? If you intend to target it for 3.1, then you should be aware that only one PR applies to the 3.1 branch. It will be later propagated (through a merge) to the 4.0 branch. So, both will be up to date. If my statement is true, then #6006 should be closed in favor of this.

@shub-est
Copy link
Author

shub-est commented Oct 8, 2025

Hi @senivam, you are right, the intention here was to merge changes in the branches independently. Looking at the commits, my understanding was that the branches are developed independently. I will close the #6006 in favour of this PR.

Any thoughts on #6005?

@shub-est shub-est mentioned this pull request Oct 8, 2025
Closed
@senivam
Copy link
Contributor

senivam commented Oct 8, 2025

Thank you @shub-est for aligning the PRs. Regarding the #6005 - the whole Jettison 1 module is deprecated and is in Jersey for backwards compatibility. The question is, if you really use the Jettison 1, or the purpose of the PR is only to clean out CVE's. And the note near Jettisson version warns about Jersey's incompatibility with newer versions (TKCs are failing or so). I doubt if it's possible to update the Jettison 1 version in a way that satisfies all checks in Jersey.

@shub-est
Copy link
Author

shub-est commented Oct 8, 2025
edited
Loading

I was working for cleaning up of CVEs for now.

Thanks for the clarification @senivam

@jansupol
Copy link
Contributor

jansupol commented Oct 9, 2025
edited
Loading

Upgrading Spring brings in a different version of micrometer-observation in Spring Example

[ERROR] Dependency convergence error for io.micrometer:micrometer-observation:jar:1.15.1. Paths to dependency are:
[ERROR] +-org.glassfish.jersey.validation:dependency-convergences:war:0.0.1
[ERROR]   +-org.glassfish.jersey.ext:jersey-micrometer:jar:3.1.99-SNAPSHOT:compile
[ERROR]     +-io.micrometer:micrometer-core:jar:1.15.1:compile
[ERROR]       +-io.micrometer:micrometer-observation:jar:1.15.1:compile
[ERROR] and
[ERROR] +-org.glassfish.jersey.validation:dependency-convergences:war:0.0.1
[ERROR]   +-org.glassfish.jersey.examples:helloworld-spring-webapp:jar:3.1.99-SNAPSHOT:compile
[ERROR]     +-org.springframework:spring-context:jar:6.2.11:compile
[ERROR]       +-io.micrometer:micrometer-observation:jar:1.14.11:compile
[ERROR] -> [Help 1]

@shub-est
Enforcing Micrometer 1.15.1 for Spring 6 upgrade
a4724a7 
Signed-off-by: Shubham Kalloli <shubham.kalloli@est.tech>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@shub-est @senivam @jansupol