Bump jetty to 12.1.1 to resolve CVE-2025-5115

[mehradpk]

This PR upgrades jetty version from 12.0.18 to 12.1.1 to address CVE-2025-5115.

Summary of Changes:

• Upgraded Jetty dependencies to 12.1.1.
• Updated related API changes
• slf4j-api version upgraded to 2.0.17 (transitively introduced in Jetty 12.1.1).
• Verified successful build and startup of Airlift-based servers with the new version.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: mehradpk / name: Deepak Mehra (a650a2d)

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Upgrades Jetty to 12.1.1 to resolve CVE-2025-5115, adapts the async socket resolver to the new Jetty API signature, bumps slf4j-api to 2.0.17, and verifies successful build/startup.

Sequence diagram for updated resolve() method in JettyAsyncSocketAddressResolver

sequenceDiagram
participant Client
participant JettyAsyncSocketAddressResolver
participant ParentResolver
participant Promise

Client->>JettyAsyncSocketAddressResolver: resolve(host, port, context, promise)
JettyAsyncSocketAddressResolver->>JettyAsyncSocketAddressResolver: resolve(host)
alt address is present
    JettyAsyncSocketAddressResolver->>Promise: succeeded([InetSocketAddress])
else address not present
    JettyAsyncSocketAddressResolver->>ParentResolver: resolve(host, port, context, promise)
end

Loading

Class diagram for updated JettyAsyncSocketAddressResolver API

classDiagram
class JettyAsyncSocketAddressResolver {
    +JettyAsyncSocketAddressResolver(Executor executor, Scheduler scheduler, Logger log)
    +resolve(String host, int port, Map<String, Object> context, Promise<List<InetSocketAddress>> promise)
    -resolve(String host, int port, Promise<List<InetSocketAddress>> promise) // removed
    -resolve(String host) Optional<InetAddress>
}

class ParentResolver {
    +resolve(String host, int port, Map<String, Object> context, Promise<List<InetSocketAddress>> promise)
}

JettyAsyncSocketAddressResolver --|> ParentResolver

Loading

File-Level Changes

Change	Details	Files
Adapted async socket resolver to new Jetty API signature	Added context parameter to resolve method Modified super.resolve call to include context	http-client/src/main/java/com/facebook/airlift/http/client/jetty/JettyAsyncSocketAddressResolver.java
Bumped Jetty dependency to address CVE-2025-5115	Updated dep.jetty.version property from 12.0.18 to 12.1.1	pom.xml
Upgraded slf4j-api version	Bumped slf4j-api version from 2.0.16 to 2.0.17	pom.xml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[tdcmeehan]

@mehradpk for some reason tests weren't run on this PR, PTAL at https://github.com/prestodb/airlift/actions/runs/18757839330/job/53514316697#step:4:23403 and make sure this isn't related to this code.

[mehradpk]

@tdcmeehan The failure can be likely due to Jetty 12.1.x stricter shutdown behavior introduced as the test failed in CI is getting passed in local.

jetty/jetty.project#2717 which made shutdown async-aware by switching to _requestStats, which counts all active requests to be completed before shutdown.

In Airlift, AbstractHttpClientTest sets server.setStopTimeout(3000), which may be insufficient for the new shutdown behavior, causing a TimeoutException during teardown. Increasing the stopTimeout or configuring a graceful shutdown may help accommodate Jetty new behavior.

[tdcmeehan]

@mehradpk can you please raise a PR to fix it?

[aaneja]

So Jetty releases have minor and micro versions.
IMO since with Jetty 12.1.1 we have seen

• test failures , in this PR
• other related test failures - Fix CI failure in TestJettyHttpsClientSpnego.testNegotiateAuthScheme #130
• we have not tested Presto with Jetty 12.1

we should switch to Jetty 12.0.25+ which also fixes the CVE

We can do a little more testing with Jetty 12.1 releases and make sure Presto works well before cutting a release with it

@tdcmeehan @mehradpk WDYT ?

[tdcmeehan]

Agreed