spuru9 opened a new pull request, #28363:
URL: https://github.com/apache/flink/pull/28363
## What is the purpose of the change
Bump `io.netty:netty-bom` from `4.2.13.Final` to `4.2.15.Final` to pick up
CVE fixes for the Netty modules Flink actually uses (non-shaded scope). Follows
the prior bump in #28124.
## Brief change log
- `pom.xml`: bump `netty-bom` 4.2.13.Final → 4.2.15.Final
- Update matching `META-INF/NOTICE` entries in `flink-rpc-akka`,
`flink-python`, and `flink-s3-fs-native` so `NoticeFileChecker` passes
## CVEs addressed
Of the CVEs fixed in 4.2.15.Final, these apply to modules Flink imports:
| CVE | Module |
|---|---|
| CVE-2026-47244 | netty-codec-http2 (advertised MAX_CONCURRENT_STREAMS not
enforced) |
| CVE-2026-44249 | netty-handler (IPv6 subnet filter bypass via incorrect
comparator masking) |
| CVE-2026-45416 | netty-handler (SNI handler pre-allocates up to 16 MiB
from nine attacker bytes) |
CVE-2026-45536 (`netty-transport-native-kqueue`, Unix-socket fd leak) does
not apply — Flink does not bundle the kqueue native transport (only
`netty-transport-classes-epoll` and `netty-transport-native-unix-common` are
bundled).
## Scope
Non-shaded only, mirroring the prior PR #28072 / FLINK-39580 split and
#28124. The runtime networking path that flows through `flink-shaded-netty`
(currently `4.2.6.Final`) carries the same fixes but requires a separate sync
in the `flink-shaded` repo and is not addressed here.
## Verifying this change
This change is a dependency version bump with no code changes; it is covered
by the existing test suite and CI, including `NoticeFileChecker`, which
validates the updated `META-INF/NOTICE` files against the bundled dependencies.
## Does this pull request potentially affect one of the following parts:
- Dependencies (does it add or upgrade a dependency): **yes**
- The public API, i.e., is any changed class annotated with
`@Public(Evolving)`: no
- The serializers: no
- The runtime per-record code paths (performance sensitive): no
- Anything that affects deployment or recovery: JobManager (and its
components), Checkpointing, Kubernetes/Yarn, ZooKeeper: no
- The S3 file system connector: no (NOTICE-only update)
## Documentation
- Does this pull request introduce a new feature? no
- If yes, how is the feature documented? not applicable
## AI Disclosure
- [x] I confirm that AI agents (e.g. Cursor, Claude code, Github Copilot)
were used in the process of creating this PR. Tool: Claude Code.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
