dongjoon-hyun opened a new pull request, #56373:
URL: https://github.com/apache/spark/pull/56373

   ### What changes were proposed in this pull request?
   
   This PR aims to upgrade `Netty` to 4.2.15.Final.
   
   ### Why are the changes needed?
   
   To bring the latest bug fixes:
   
   - https://netty.io/news/2026/06/01/4-2-15-Final.html
     - 
[CVE-2026-48059](https://github.com/netty/netty/security/advisories/GHSA-h2qv-fj59-j46j):
 memory exhaustion in io.netty:netty-codec-haproxy (high).
     - 
[CVE-2026-47691](https://github.com/netty/netty/security/advisories/GHSA-5pvg-856g-cp85):
 DNS cache poisoning in io.netty:netty-resolver-dns (high).
     - 
[CVE-2026-XXXXX](https://github.com/netty/netty/security/advisories/GHSA-563q-j3cm-6jxm):
 DDoS in io.netty:netty-codec-http2.
     - 
[CVE-2026-XXXXX](https://github.com/netty/netty/security/advisories/GHSA-5w86-c3rq-vjj7):
 memory exhaustion in io.netty:netty-codec-redis (high).
     - 
[CVE-2026-44250](https://github.com/netty/netty/security/advisories/GHSA-3244-j874-rhc2):
 memory exhaustion in io.netty:netty-codec-redis (high).
     - 
[CVE-2026-44890](https://github.com/netty/netty/security/advisories/GHSA-6ghj-frrj-jjj3):
 memory exhaustion in io.netty:netty-codec-redis (high).
     - 
[CVE-2026-XXXXX](https://github.com/netty/netty/security/advisories/GHSA-cq4q-cv5g-r8q5):
 information disclosure and denial of service in 
io.netty:netty-codec-classes-quic.
     - 
[CVE-2026-44249](https://github.com/netty/netty/security/advisories/GHSA-3qp7-7mw8-wx86):
 IPv6 subnet filter bypass in io.netty:netty-handler (high).
     - 
[CVE-2026-XXXXX](https://github.com/netty/netty/security/advisories/GHSA-hvcg-qmg6-jm4c):
 request smuggling in io.netty:netty-codec-http.
     - 
[CVE-2026-44892](https://github.com/netty/netty/security/advisories/GHSA-c2rx-5r8w-8xr2):
 memory exhaustion in io.netty:netty-codec-http3 (high).
     - 
[CVE-2026-44893](https://github.com/netty/netty/security/advisories/GHSA-cc37-9q2j-3hfv):
 memory leak in io.netty:netty-codec-haproxy (high).
     - 
[CVE-2026-44894](https://github.com/netty/netty/security/advisories/GHSA-cmm3-54f8-px4j):
 traffic amplification in io.netty:netty-codec-classes-quic (high).
     - 
[CVE-2026-XXXXX](https://github.com/netty/netty/security/advisories/GHSA-c653-97m9-rcg9):
 TLS hostname verification accidentally disabled in io.netty:netty-handler 
(high).
     - 
[CVE-2026-45673](https://github.com/netty/netty/security/advisories/GHSA-xmv7-r254-6q78):
 DNS cache poisoning in io.netty:netty-resolver-dns.
     - 
[CVE-2026-45416](https://github.com/netty/netty/security/advisories/GHSA-x4gw-5cx5-pgmh):
 excessive memory usage from SNIHandler in io.netty:netty-handler (high).
     - 
[CVE-2026-45536](https://github.com/netty/netty/security/advisories/GHSA-w573-9ffj-6ff9):
 file descriptor leak in io.netty:netty-transport-native-epoll and 
io.netty:netty-transport-native-kqueue.
     - 
[CVE-2026-45674](https://github.com/netty/netty/security/advisories/GHSA-676x-f7gg-47vc):
 DNS cache poisoning in io.netty:netty-resolver-dns (high).
     - 
[CVE-2026-46340](https://github.com/netty/netty/security/advisories/GHSA-5xrh-qmmq-w6ch):
 memory exhaustion in io.netty:netty-transport-sctp (high).
     - 
[CVE-2026-47244](https://github.com/netty/netty/security/advisories/GHSA-5x3r-wrvg-rp6q):
 denial of service in io.netty:netty-codec-http2.
     - 
[CVE-2026-48006](https://github.com/netty/netty/security/advisories/GHSA-6jv9-x5w9-2ccm):
 memory exhaustion in io.netty:netty-codec-redis (high).
     - 
[CVE-2026-48748](https://github.com/netty/netty/security/advisories/GHSA-4grm-h2qv-h6w6):
 memory exhaustion in io.netty:netty-codec-http3 (high).
     - 
[CVE-2026-48043](https://github.com/netty/netty/security/advisories/GHSA-c2gf-v879-257j):
 memory exhaustion in io.netty:netty-codec-http2.
     - Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup 
[#16836](https://github.com/netty/netty/pull/16836)
     - HTTP/2: Parse request-target path like Vert.x 
[#16810](https://github.com/netty/netty/pull/16810)
     - ChannelInitializer: correct misleading comment on exceptionCaught route 
[#16853](https://github.com/netty/netty/pull/16853)
     - FlowControlHandler: Suppress duplicate channelReadComplete after 
draining queue [#16837](https://github.com/netty/netty/pull/16837)
     - Pass maxAllocation to Brotli and Zstd decoders 
[#16844](https://github.com/netty/netty/pull/16844)
     - Add maxWindowLog parameter to ZstdDecoder to bound memory allocation 
[#16850](https://github.com/netty/netty/pull/16850)
     - MQTT: Reject malformed no-payload packets with non-zero Remaining Length 
[#16890](https://github.com/netty/netty/pull/16890)
   
   - https://netty.io/news/2026/05/20/4-2-14-Final.html
   
   ### Does this PR introduce _any_ user-facing change?
   
   No.
   
   ### How was this patch tested?
   
   Pass the CIs.
   
   ### Was this patch authored or co-authored using generative AI tooling?
   
   Generated-by: Claude Opus 4.8


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to