(druid) branch master updated: build(deps): Update Netty to 4.2.15.Final to address multiple CVEs (#19566)

abhishekrb Mon, 22 Jun 2026 08:55:44 -0700

This is an automated email from the ASF dual-hosted git repository.

abhishekrb19 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git



The following commit(s) were added to refs/heads/master by this push:
     new 43278bce1b6 build(deps): Update Netty to 4.2.15.Final to address 
multiple CVEs (#19566)
43278bce1b6 is described below

commit 43278bce1b6b516837798455cf6211ecb4063780
Author: Ashwin Tumma <[email protected]>
AuthorDate: Mon Jun 22 08:55:25 2026 -0700

    build(deps): Update Netty to 4.2.15.Final to address multiple CVEs (#19566)
    
    * Update Netty to 4.2.14.Final to address multiple CVEs
    
    This update addresses 17 critical and high severity CVEs in Netty:
    
    - CVE-2026-42583: Lz4FrameDecoder resource exhaustion (HIGH)
    - CVE-2026-42579: HTTP response desynchronization (HIGH)
    - CVE-2026-42585: MQTT resource exhaustion (MODERATE)
    - CVE-2026-33870: HTTP request smuggling via quoted strings (HIGH)
    - CVE-2025-67735: DNS codec validation bypass (HIGH)
    - CVE-2026-42587: HTTP/3 QPACK unbounded allocation (HIGH)
    - CVE-2026-41417: Epoll transport DoS via RST (HIGH)
    - CVE-2026-42584: HTTP request smuggling via Transfer-Encoding (MODERATE)
    - CVE-2026-42581: HTTP request smuggling via chunk size parsing (MODERATE)
    - CVE-2026-42580: Redis codec CRLF injection (MODERATE)
    - CVE-2026-33871: HTTP header injection via HttpProxyHandler (LOW)
    - CVE-2026-42582: Additional HTTP codec vulnerabilities
    - CVE-2026-44248: MQTT 5 decoder resource exhaustion (HIGH)
    - CVE-2026-42586: Additional resource consumption issues
    - CVE-2025-59419: Security improvements
    - CVE-2026-42578: Additional security fixes
    - CVE-2026-42577: Additional security fixes
    
    Updated netty4.version from 4.2.12.Final to 4.2.14.Final.
    All CVEs are fixed in version 4.2.13.Final and later.
    
    * Update licenses.yaml for Netty 4.2.14.Final
    
    * Add missing netty-codec-classes-quic to licenses.yaml
    
    The Netty 4.2.14.Final upgrade introduced a new transitive dependency
    io.netty:netty-codec-classes-quic which was missing from the licenses.yaml
    file, causing license validation failures in CI.
    
    This module provides QUIC protocol codec support and is licensed under
    Apache License version 2.0, consistent with all other Netty modules.
    
    * Upgrade Netty to 4.2.15.Final to address additional CVEs
    
    Updates Netty from 4.2.14.Final to 4.2.15.Final to address 26 additional
    critical security vulnerabilities discovered after the 4.2.14 release.
    
    * Properly document Javassist MPL 1.1 triple-licensing
    
    Javassist is triple-licensed under MPL 1.1, LGPL 2.1, and Apache License 
2.0.
    Apache Druid uses it under Apache 2.0 terms.
    
    Changes:
    1. Add MPL 1.1 as a recognized license in check-licenses.py
    2. Update Javassist entry in licenses.yaml to declare MPL 1.1 as its
       primary license with a notice explaining the triple-licensing and that
       we use it under Apache 2.0 terms
    
    This addresses review feedback to properly canonicalize MPL 1.1 to its
    own license name rather than hiding it by mapping to Apache 2.0.
    
    Addresses: Review comment from FrankChen021 on PR #19566
    
    * Update netty-tcnative to 2.0.77.Final for azure-extensions
    
    Netty 4.2.15.Final pulls in netty-tcnative 2.0.77.Final as a transitive
    dependency in druid-azure-extensions. Update licenses.yaml to register
    the new version.
    
    ---------
    
    Co-authored-by: Ashwin Tumma <[email protected]>
---
 distribution/bin/check-licenses.py |  3 +++
 licenses.yaml                      | 15 ++++++++++++---
 pom.xml                            |  2 +-
 3 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/distribution/bin/check-licenses.py 
b/distribution/bin/check-licenses.py
index 7c85494862c..e484928865b 100755
--- a/distribution/bin/check-licenses.py
+++ b/distribution/bin/check-licenses.py
@@ -299,6 +299,9 @@ def build_compatible_license_names():
     compatible_licenses['Mozilla Public License Version 2.0'] = 'Mozilla 
Public License Version 2.0'
     compatible_licenses['Mozilla Public License, Version 2.0'] = 'Mozilla 
Public License Version 2.0'
 
+    compatible_licenses['MPL 1.1'] = 'MPL 1.1'
+    compatible_licenses['Mozilla Public License 1.1'] = 'MPL 1.1'
+
     compatible_licenses['Creative Commons Attribution 2.5'] = 'Creative 
Commons Attribution 2.5'
 
     compatible_licenses['Creative Commons CC0'] = 'Creative Commons CC0'
diff --git a/licenses.yaml b/licenses.yaml
index 5712ec2a924..9895cb1b639 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -1485,7 +1485,7 @@ name: Netty
 license_category: binary
 module: java-core
 license_name: Apache License version 2.0
-version: 4.2.12.Final
+version: 4.2.15.Final
 libraries:
   - io.netty: netty-buffer
   - io.netty: netty-codec
@@ -1506,6 +1506,7 @@ libraries:
   - io.netty: netty-transport-native-epoll
   - io.netty: netty-transport-native-unix-common
   - io.netty: netty-codec-http2
+  - io.netty: netty-codec-classes-quic
   - io.netty: netty-resolver-dns-classes-macos
   - io.netty: netty-transport-classes-kqueue
   - io.netty: netty-resolver-dns-native-macos
@@ -4682,7 +4683,7 @@ name: Netty
 license_category: binary
 module: extensions/druid-azure-extensions
 license_name: Apache License version 2.0
-version: 2.0.75.Final
+version: 2.0.77.Final
 libraries:
   - io.netty: netty-tcnative-boringssl-static
   - io.netty: netty-tcnative-classes
@@ -7132,7 +7133,15 @@ libraries:
 name: Javassist
 license_category: binary
 module: extensions-core/druid-kerberos
-license_name: Apache License version 2.0
+license_name: MPL 1.1
 version: 3.30.2-GA
 libraries:
   - org.javassist: javassist
+notice: |
+  Javassist is triple-licensed under MPL 1.1, LGPL 2.1, and Apache License 2.0.
+  Apache Druid uses Javassist under the Apache License 2.0 terms.
+
+  From the Javassist license page (https://www.javassist.org/):
+  "Javassist is distributed under the Mozilla Public License 1.1 (MPL),
+  the GNU Lesser General Public License 2.1 (LGPL), and the Apache License 2.0 
(AL).
+  You can choose one of them."
diff --git a/pom.xml b/pom.xml
index 9827f232c19..38d1a245b19 100644
--- a/pom.xml
+++ b/pom.xml
@@ -111,7 +111,7 @@
         <mysql.version>8.2.0</mysql.version>
         <mariadb.version>2.7.3</mariadb.version>
         <netty3.version>3.10.6.Final</netty3.version>
-        <netty4.version>4.2.12.Final</netty4.version>
+        <netty4.version>4.2.15.Final</netty4.version>
         <postgresql.version>42.7.11</postgresql.version>
         <protobuf.version>3.25.8</protobuf.version>
         <resilience4j.version>1.3.1</resilience4j.version>


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

(druid) branch master updated: build(deps): Update Netty to 4.2.15.Final to address multiple CVEs (#19566)

Reply via email to