lhotari opened a new pull request, #4775:
URL: https://github.com/apache/bookkeeper/pull/4775

   ### Motivation
   
   Upgrade Netty from 4.2.12.Final to 4.2.13.Final to pick up security fixes 
and bug fixes.
   
   ### Netty 4.2.13.Final summary
   
   Release notes: https://netty.io/news/2026/05/04/4-2-13-Final.html
   
   Netty 4.2.13.Final addresses 13 CVEs across multiple modules:
   
   - `netty-codec-http` / `netty-codec-http2` — CVE-2026-42587, CVE-2026-41417, 
CVE-2026-42581, CVE-2026-42580, CVE-2026-42585, CVE-2026-42584
   - `netty-codec` / `netty-codec-compression` — CVE-2026-42583
   - `netty-codec-redis` — CVE-2026-42586
   - `netty-codec-mqtt` — CVE
   - `netty-codec-dns` — CVE-2026-42579
   - `netty-codec-http3` — CVE-2026-42582
   - `netty-handler-proxy` — CVE-2026-42578
   - `netty-transport-native-epoll` — CVE-2026-42577
   
   Other notable fixes in 4.2.13.Final:
   
   - HTTP/2 preface transmission ordering and HTTP chunk parsing with multiple 
extensions
   - `sendfile` `EINTR` offset advancement
   - Resource leak fixes in `PemReader` and `CRYPTO_BUFFER_POOL` cleanup
   - Guarded malloc failures in the DNS resolver and SSL_CTX_new error handling
   - `IndexOutOfBoundsException` in `StompSubframeDecoder`
   - Native transport: kqueue `shutdownInput`, `pipe2` fallback, fd-reuse fixes
   - API additions: public `LocalIoHandle` and generic `FileRegion` support
   - Bumps `netty-tcnative` to 2.0.77.Final
   
   ### netty-tcnative 2.0.75.Final → 2.0.77.Final summary
   
   Compare: 
https://github.com/netty/netty-tcnative/compare/netty-tcnative-parent-2.0.75.Final...netty-tcnative-parent-2.0.77.Final
   
   Highlights from the tcnative changelog:
   
   - **OpenSSL 3.6 for `openssl-dynamic`** — version 1.1 is no longer shipped 
on many modern OSes; this also enables post-quantum / hybrid key exchange 
algorithms when running against OpenSSL ≥ 3.5.
   - **Use-after-free / dangling pointer fix** for session tickets on OpenSSL 
3.x (`OSSL_PARAM_construct_octet_string` stores a raw pointer; key bytes are 
now copied into a stable buffer owned by the ticket-keys allocation).
   - **Memory-leak fixes**: `setSessionTicketKeys0` when `GetByteArrayElements` 
fails, `CRYPTO_BUFFER` leaks during decompression and on push failures, 
dangling global ref in the verifier setter.
   - **Robustness against allocation/JNI failures**: NULL checks for 
`OPENSSL_malloc` in ALPN/NPN setup, `GetIntArrayElements`, `GetStringUTFChars`, 
and `apr_thread_rwlock_create` return values.
   - **Undefined-behavior fixes**: uninitialized `proto_len`, wrong `%s` format 
specifier for a `jint`, missing semicolon in an old-OpenSSL `#ifdef` branch.
   - **ALPN/NPN fallback correctness** — fall back to the last *local* 
supported protocol instead of the last peer-offered one.
   - **SSL info callback** moved to per-context creation 
(`SSLContext.make(...)`) instead of per `SSL` instance.
   - **Async verifier**: correctly tracks chain length / cert count so the 
`X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY` substitution fires on truncated 
chains.
   - **JNI hygiene**: clear pending exceptions thrown from the keylog callback; 
delete local refs created in loops to avoid local-ref-table overflow.
   - **Better diagnostics**: more meaningful exceptions when 
`SSLContext.make(...)` fails.
   - **Cross-compilation**: aarch64 boringssl-static build restored; force 
`HAVE_PTHREAD_RWLOCKS=1` so locks are available when cross-compiling.
   - New API: `SSL.getVersionInt()` to avoid string allocation on every 
handshake.
   
   ### Changes
   
   - Bump `netty.version` from `4.2.12.Final` to `4.2.13.Final` in `pom.xml`.
   - Regenerate `LICENSE-*.bin.txt` and `NOTICE-*.bin.txt` for the bundled 
Netty jars.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to