lhotari opened a new pull request, #25670: URL: https://github.com/apache/pulsar/pull/25670
### Motivation This PR upgrades Netty to [4.1.133.Final](https://netty.io/news/2026/05/04/4-1-133-Final.html) (released 2026-05-04) and `netty-tcnative` to `2.0.77.Final` to pick up multiple security fixes and bug fixes. #### Security fixes addressed by Netty 4.1.133.Final Per the [Netty 4.1.133.Final release notes](https://netty.io/news/2026/05/04/4-1-133-Final.html), this release addresses the following CVEs: - CVE-2026-42586 (`netty-codec-redis`) - CVE-2026-42578 (`netty-handler-proxy`) - CVE-2026-42587 (`netty-codec-http`, `netty-codec-http2`) - CVE-2026-41417 (`netty-codec-http`) - CVE-2026-42581 (`netty-codec-http`) - CVE-2026-42580 (`netty-codec-http`) - CVE-2026-42585 (`netty-codec-http`) - CVE-2026-42579 (`netty-codec-dns`) - CVE-2026-42582 (`netty-codec-http3`) - CVE-2026-42583 (`netty-codec`, `netty-codec-compression`) - CVE-2026-42584 (`netty-codec-http`) - additional CVE in `netty-codec-mqtt` #### Notable bug fixes also included in 4.1.133.Final - Fix `IndexOutOfBoundsException` in `StompSubframeDecoder` on heartbeat - Kqueue sendfile fix preventing data duplication - `PemReader` memory leak prevention during `OutOfDirectMemoryError` - Native DNS resolver safeguards against malloc failures - MQTT properties `isEmpty` now considers user properties and subscription IDs - HTTP chunk parsing with multiple extensions corrected - Epoll error handling standardized to return negative values - HTTP/2 stream error handling for `maxContentLength` violations - HTTP/2 preface transmission ensured as initial message (client and server) - NPE prevention in `JdkSslServerContext` and `JdkSslClientContext` - `netty-tcnative` upgraded to `2.0.77.Final` ### Modifications - Bump `netty` from `4.1.132.Final` to `4.1.133.Final` in `gradle/libs.versions.toml` - Bump `netty-tcnative` from `2.0.75.Final` to `2.0.77.Final` in `gradle/libs.versions.toml` - Update `distribution/server/src/assemble/LICENSE.bin.txt` and `distribution/shell/src/assemble/LICENSE.bin.txt` to reflect new Netty/tcnative versions ### Verifying this change - [x] Make sure that the change passes the CI checks. This change is a trivial rework / code cleanup without any test coverage. It is a pure dependency version bump; existing tests exercise the affected Netty code paths. ### Does this pull request potentially affect one of the following parts: *If the box was checked, please highlight the changes* - [x] Dependencies (add or upgrade a dependency) - [ ] The public API - [ ] The schema - [ ] The default values of configurations - [ ] The threading model - [ ] The binary protocol - [ ] The REST endpoints - [ ] The admin CLI options - [ ] The metrics - [ ] Anything that affects deployment Upgrades the `netty` (`4.1.132.Final` -> `4.1.133.Final`) and `netty-tcnative` (`2.0.75.Final` -> `2.0.77.Final`) dependencies. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
