(kafka) branch 3.9 updated: MINOR: Upgrade netty to 4.125 for CVE-2025-58057 (#20734)

Mon, 20 Oct 2025 18:51:12 -0700 

This is an automated email from the ASF dual-hosted git repository.

showuon pushed a commit to branch 3.9
in repository https://gitbox.apache.org/repos/asf/kafka.git


The following commit(s) were added to refs/heads/3.9 by this push:
     new e118c087212 MINOR: Upgrade netty to 4.125 for CVE-2025-58057 (#20734)
e118c087212 is described below

commit e118c08721254567b2fdd40d4a932a2a8dfda56a
Author: Shicheng Rao <[email protected]>
AuthorDate: Mon Oct 20 21:51:01 2025 -0400

    MINOR: Upgrade netty to 4.125 for CVE-2025-58057 (#20734)
    
    https://nvd.nist.gov/vuln/detail/CVE-2025-58057 lists netty versions
    4.1.124.Final and below as vulnerable, so bumping netty to 4.1.125.Final
    
    Signed-off-by: Shicheng Rao <[email protected]>
    
    Reviewers: Luke Chen <[email protected]>, Chia-Ping Tsai 
<[email protected]>
---
 LICENSE-binary             | 18 +++++++++---------
 gradle/dependencies.gradle |  2 +-
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/LICENSE-binary b/LICENSE-binary
index b4b0bc4ebf7..26ade82f12e 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -244,15 +244,15 @@ lz4-java-1.8.0
 maven-artifact-3.9.6
 metrics-core-4.1.12.1
 metrics-core-2.2.0
-netty-buffer-4.1.119.Final
-netty-codec-4.1.119.Final
-netty-common-4.1.119.Final
-netty-handler-4.1.119.Final
-netty-resolver-4.1.119.Final
-netty-transport-4.1.119.Final
-netty-transport-classes-epoll-4.1.119.Final
-netty-transport-native-epoll-4.1.119.Final
-netty-transport-native-unix-common-4.1.119.Final
+netty-buffer-4.1.125.Final
+netty-codec-4.1.125.Final
+netty-common-4.1.125.Final
+netty-handler-4.1.125.Final
+netty-resolver-4.1.125.Final
+netty-transport-4.1.125.Final
+netty-transport-classes-epoll-4.1.125.Final
+netty-transport-native-epoll-4.1.125.Final
+netty-transport-native-unix-common-4.1.125.Final
 opentelemetry-proto-1.0.0-alpha
 plexus-utils-3.5.1
 reflections-0.10.2
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index 1127dd26033..f659099a587 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -143,7 +143,7 @@ versions += [
   lz4: "1.8.0",
   mavenArtifact: "3.9.6",
   metrics: "2.2.0",
-  netty: "4.1.119.Final",
+  netty: "4.1.125.Final",
   opentelemetryProto: "1.0.0-alpha",
   protobuf: "3.25.5", // a dependency of opentelemetryProto
   pcollections: "4.0.1",

Reply via email to