Skip to content

[BugFix][CVE] bump netty to 4.1.135.Final (backport #74668)#74719

Merged
wanpengfei-git merged 1 commit into
branch-4.1.2from
mergify/bp/branch-4.1.2/pr-74668
Jun 12, 2026
Merged

[BugFix][CVE] bump netty to 4.1.135.Final (backport #74668)#74719
wanpengfei-git merged 1 commit into
branch-4.1.2from
mergify/bp/branch-4.1.2/pr-74668

Conversation

@mergify

@mergify mergify Bot commented Jun 12, 2026
edited by wanpengfei-git
Loading

Copy link
Copy Markdown
Contributor

Upgrade io.netty from 4.1.133.Final to 4.1.135.Final across all three Java trees (fe/, java-extensions/, fs_brokers/) to remediate the CVEs fixed after 4.1.133.Final:

  • CVE-2026-45416 (io.netty:netty-handler, < 4.1.135): SNI handler pre-allocates up to 16 MiB from nine attacker-controlled bytes; repeated connections exhaust the Java heap (DoS).
  • CVE-2026-44249 (io.netty:netty-handler, < 4.1.135): IPv6 subnet filter bypass via incorrect masking in IpSubnetFilterRule.compareTo.
  • CVE-2026-45673 (io.netty:netty-resolver-dns, < 4.1.135): DNS cache poisoning due to predictable PRNG transaction IDs and a default static UDP source port.
  • CVE-2026-45536 (io.netty:netty-transport-native-epoll/kqueue, < 4.1.135): unix-socket fd receive leaks descriptors when the peer sends two at once.

Netty is both a direct dependency (netty-all, netty-handler) and a transitive one (grpc, AWS SDK v2, arrow-memory-netty, Hadoop); all of them are forced to the patched version through the existing io.netty.version property and the netty-bom dependencyManagement / Gradle platform entries, so this is a property-only bump:

  • fe/pom.xml: io.netty.version 4.1.133.Final -> 4.1.135.Final
  • fe/build.gradle.kts: same bump in ext
  • java-extensions/pom.xml: same bump
  • fs_brokers/apache_hdfs_broker/src/pom.xml: same bump

Why I'm doing:

What I'm doing:

Fixes #issue

What type of PR is this:

  • BugFix
  • Feature
  • Enhancement
  • Refactor
  • UT
  • Doc
  • Tool

Does this PR entail a change in behavior?

  • Yes, this PR will result in a change in behavior.
  • No, this PR will not result in a change in behavior.

If yes, please specify the type of change:

  • Interface/UI changes: syntax, type conversion, expression evaluation, display information
  • Parameter changes: default values, similar parameters but with different default values
  • Policy changes: use new policy to replace old one, functionality automatically enabled
  • Feature removed
  • Miscellaneous: upgrade & downgrade compatibility, etc.

Checklist:

  • I have added test cases for my bug fix or my new feature
  • This pr needs user documentation (for new or modified features or behaviors)
    • I have added documentation for my new feature or new function
    • This pr needs auto generate documentation
  • This is a backport pr

Bugfix cherry-pick branch check:

  • I have checked the version labels which the pr will be auto-backported to the target branch
    • 4.1
    • 4.0
    • 3.5
This is an automatic backport of pull request #74668 done by [Mergify](https://mergify.com).

@kevincai @mergify
[BugFix][CVE] bump netty to 4.1.135.Final (#74668)
81fee8d 
Signed-off-by: Kevin Cai <kevin.cai@phoenixdata.ai>
(cherry picked from commit 5a71ce1)
@wanpengfei-git wanpengfei-git enabled auto-merge (squash) June 12, 2026 03:05
@mergify mergify Bot mentioned this pull request Jun 12, 2026
Merged
23 tasks
@wanpengfei-git wanpengfei-git merged commit c39b3bc into branch-4.1.2 Jun 12, 2026
38 checks passed
@wanpengfei-git wanpengfei-git deleted the mergify/bp/branch-4.1.2/pr-74668 branch June 12, 2026 03:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kevincai kevincai kevincai approved these changes

Assignees

@kevincai kevincai

Labels

automerge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kevincai @wanpengfei-git