chore(deps): Bump jetty from 12.0.29 to 12.0.34 by ShahimSharafudeen · Pull Request #146 · prestodb/airlift

ShahimSharafudeen · 2026-03-09T13:57:24Z

Upgrade jetty version from 12.0.29 to 12.0.32 to address CVE-2025-11143, CVE-2026-1605 and CVE-2026-2332..

linux-foundation-easycla · 2026-03-09T13:57:34Z

The committers listed above are authorized under a signed CLA.

✅ login: ShahimSharafudeen / name: Shahim Sharafudeen (8586fdd)

sonarqubecloud · 2026-03-09T14:01:36Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

mblanco-denodo · 2026-04-09T13:31:09Z

Prerrequisite: #148

sonarqubecloud · 2026-04-23T10:21:02Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonarqubecloud · 2026-05-20T11:04:35Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

ShahimSharafudeen · 2026-05-21T10:16:05Z

Airlift local build :

Presto Local build with Airlift change :

Dependnecy tree after presto local build :

Testing Ailift changes in Presto using jitpack :

Unable to build Presto using the JitPack Airlift dependency due to multiple issues, such as the ones listed below.

drift-maven-plugin resolves the wrong coordinates.
Airlift Launcher resolves coordinates that JitPack does not publish

Error Screenshot :

This is an existing difficulty while testing the JitPack Airlift dependency in Presto:
Ref link for previous testing : #132 (comment)

agrawalreetika · 2026-05-21T11:12:24Z

Why are we not upgrading close to latest?

ShahimSharafudeen · 2026-05-21T12:14:39Z

@agrawalreetika - Jetty 12.1.x encountered some serious issues in Airlift, which is why the Jetty version was previously downgraded to the 12.0.x series. For the current fix, I have used a recent stable CVE-patched version from the 12.0.x series.
Ref previous Jetty downgrade PR : #132

agrawalreetika

Code changes lgtm, I think if there is complexity in testing complete Presto CI without publishing, then we can try the Presto PR update after publishing the changes of airlift.

## Description Upgrade jetty version from 12.0.29 to 12.0.32 to address CVE-2025-11143 and CVE-2026-1605. Dependent Airlift PR : prestodb/airlift#146. ## Motivation and Context   ## Impact  ## Test Plan  ## Contributor checklist - [ ] Please make sure your submission complies with our [contributing guide](https://github.com/prestodb/presto/blob/master/CONTRIBUTING.md), in particular [code style](https://github.com/prestodb/presto/blob/master/CONTRIBUTING.md#code-style) and [commit standards](https://github.com/prestodb/presto/blob/master/CONTRIBUTING.md#commit-standards). - [ ] PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced. - [ ] Documented new properties (with its default value), SQL syntax, functions, or other functionality. - [ ] If release notes are required, they follow the [release notes guidelines](https://github.com/prestodb/presto/wiki/Release-Notes-Guidelines). - [ ] Adequate tests were added if applicable. - [ ] CI passed. - [ ] If adding new dependencies, verified they have an [OpenSSF Scorecard](https://securityscorecards.dev/#the-checks) score of 5.0 or higher (or obtained explicit TSC approval for lower scores). ## Release Notes Please follow [release notes guidelines](https://github.com/prestodb/presto/wiki/Release-Notes-Guidelines) and fill in the release notes below. ``` == RELEASE NOTES == Security Changes * Upgrade jetty dependency from 0.27 to version 2.0.2 to address `CVE-2025-11143 <https://github.com/advisories/GHSA-wjpw-4j6x-6rwh>` and `CVE-2026-1605 <https://github.com/advisories/GHSA-xxh7-fcf3-rj7f>`_ ```

ShahimSharafudeen force-pushed the jetty-io_cve_fix branch from 24f55db to 230dfdc Compare March 9, 2026 14:00

ShahimSharafudeen marked this pull request as ready for review March 9, 2026 15:27

ShahimSharafudeen requested a review from a team as a code owner March 9, 2026 15:27

ShahimSharafudeen mentioned this pull request Mar 9, 2026

chore(deps): Bump jetty from 12.0.29 to 12.0.34 prestodb/presto#27294

Merged

7 tasks

ShahimSharafudeen force-pushed the jetty-io_cve_fix branch 2 times, most recently from 277cf13 to d3fffdf Compare April 20, 2026 07:37

ShahimSharafudeen changed the title ~~chore(deps): Bump jetty from 12.0.29 to 12.0.32~~ chore(deps): Bump jetty from 12.0.29 to 12.0.34 Apr 20, 2026

ShahimSharafudeen force-pushed the jetty-io_cve_fix branch from d3fffdf to 8586fdd Compare April 23, 2026 10:19

Dilli-Babu-Godari requested a review from agrawalreetika May 7, 2026 10:38

chore(deps): Bump jetty from 12.0.29 to 12.0.34

bf98093

ShahimSharafudeen force-pushed the jetty-io_cve_fix branch from 8586fdd to bf98093 Compare May 20, 2026 11:03

agrawalreetika approved these changes May 21, 2026

View reviewed changes

tdcmeehan approved these changes May 21, 2026

View reviewed changes

tdcmeehan merged commit 6b0a61a into prestodb:master May 21, 2026
3 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): Bump jetty from 12.0.29 to 12.0.34#146

chore(deps): Bump jetty from 12.0.29 to 12.0.34#146
tdcmeehan merged 1 commit into
prestodb:masterfrom
ShahimSharafudeen:jetty-io_cve_fix

ShahimSharafudeen commented Mar 9, 2026 •

edited

Loading

Uh oh!

linux-foundation-easycla Bot commented Mar 9, 2026 •

edited

Loading

Uh oh!

sonarqubecloud Bot commented Mar 9, 2026

Uh oh!

mblanco-denodo commented Apr 9, 2026

Uh oh!

sonarqubecloud Bot commented Apr 23, 2026

Uh oh!

sonarqubecloud Bot commented May 20, 2026

Uh oh!

ShahimSharafudeen commented May 21, 2026

Uh oh!

agrawalreetika commented May 21, 2026 •

edited

Loading

Uh oh!

ShahimSharafudeen commented May 21, 2026

Uh oh!

agrawalreetika left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

ShahimSharafudeen commented Mar 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

linux-foundation-easycla Bot commented Mar 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

sonarqubecloud Bot commented Mar 9, 2026

Quality Gate passed

Uh oh!

mblanco-denodo commented Apr 9, 2026

Uh oh!

sonarqubecloud Bot commented Apr 23, 2026

Quality Gate passed

Uh oh!

sonarqubecloud Bot commented May 20, 2026

Quality Gate passed

Uh oh!

ShahimSharafudeen commented May 21, 2026

Uh oh!

agrawalreetika commented May 21, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ShahimSharafudeen commented May 21, 2026

Uh oh!

agrawalreetika left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

ShahimSharafudeen commented Mar 9, 2026 •

edited

Loading

linux-foundation-easycla Bot commented Mar 9, 2026 •

edited

Loading

agrawalreetika commented May 21, 2026 •

edited

Loading