lhotari opened a new pull request, #4775: URL: https://github.com/apache/bookkeeper/pull/4775
### Motivation Upgrade Netty from 4.2.12.Final to 4.2.13.Final to pick up security fixes and bug fixes. ### Netty 4.2.13.Final summary Release notes: https://netty.io/news/2026/05/04/4-2-13-Final.html Netty 4.2.13.Final addresses 13 CVEs across multiple modules: - `netty-codec-http` / `netty-codec-http2` — CVE-2026-42587, CVE-2026-41417, CVE-2026-42581, CVE-2026-42580, CVE-2026-42585, CVE-2026-42584 - `netty-codec` / `netty-codec-compression` — CVE-2026-42583 - `netty-codec-redis` — CVE-2026-42586 - `netty-codec-mqtt` — CVE - `netty-codec-dns` — CVE-2026-42579 - `netty-codec-http3` — CVE-2026-42582 - `netty-handler-proxy` — CVE-2026-42578 - `netty-transport-native-epoll` — CVE-2026-42577 Other notable fixes in 4.2.13.Final: - HTTP/2 preface transmission ordering and HTTP chunk parsing with multiple extensions - `sendfile` `EINTR` offset advancement - Resource leak fixes in `PemReader` and `CRYPTO_BUFFER_POOL` cleanup - Guarded malloc failures in the DNS resolver and SSL_CTX_new error handling - `IndexOutOfBoundsException` in `StompSubframeDecoder` - Native transport: kqueue `shutdownInput`, `pipe2` fallback, fd-reuse fixes - API additions: public `LocalIoHandle` and generic `FileRegion` support - Bumps `netty-tcnative` to 2.0.77.Final ### netty-tcnative 2.0.75.Final → 2.0.77.Final summary Compare: https://github.com/netty/netty-tcnative/compare/netty-tcnative-parent-2.0.75.Final...netty-tcnative-parent-2.0.77.Final Highlights from the tcnative changelog: - **OpenSSL 3.6 for `openssl-dynamic`** — version 1.1 is no longer shipped on many modern OSes; this also enables post-quantum / hybrid key exchange algorithms when running against OpenSSL ≥ 3.5. - **Use-after-free / dangling pointer fix** for session tickets on OpenSSL 3.x (`OSSL_PARAM_construct_octet_string` stores a raw pointer; key bytes are now copied into a stable buffer owned by the ticket-keys allocation). - **Memory-leak fixes**: `setSessionTicketKeys0` when `GetByteArrayElements` fails, `CRYPTO_BUFFER` leaks during decompression and on push failures, dangling global ref in the verifier setter. - **Robustness against allocation/JNI failures**: NULL checks for `OPENSSL_malloc` in ALPN/NPN setup, `GetIntArrayElements`, `GetStringUTFChars`, and `apr_thread_rwlock_create` return values. - **Undefined-behavior fixes**: uninitialized `proto_len`, wrong `%s` format specifier for a `jint`, missing semicolon in an old-OpenSSL `#ifdef` branch. - **ALPN/NPN fallback correctness** — fall back to the last *local* supported protocol instead of the last peer-offered one. - **SSL info callback** moved to per-context creation (`SSLContext.make(...)`) instead of per `SSL` instance. - **Async verifier**: correctly tracks chain length / cert count so the `X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY` substitution fires on truncated chains. - **JNI hygiene**: clear pending exceptions thrown from the keylog callback; delete local refs created in loops to avoid local-ref-table overflow. - **Better diagnostics**: more meaningful exceptions when `SSLContext.make(...)` fails. - **Cross-compilation**: aarch64 boringssl-static build restored; force `HAVE_PTHREAD_RWLOCKS=1` so locks are available when cross-compiling. - New API: `SSL.getVersionInt()` to avoid string allocation on every handshake. ### Changes - Bump `netty.version` from `4.2.12.Final` to `4.2.13.Final` in `pom.xml`. - Regenerate `LICENSE-*.bin.txt` and `NOTICE-*.bin.txt` for the bundled Netty jars. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
