ashwintumma23 opened a new pull request, #19551: URL: https://github.com/apache/druid/pull/19551
## Summary This PR updates Netty from version 4.2.12.Final to 4.2.14.Final to address 17 critical and high severity CVEs. ## CVEs Addressed ### High Severity: - **CVE-2026-42583**: Lz4FrameDecoder resource exhaustion - **CVE-2026-42579**: HTTP response desynchronization - **CVE-2026-33870**: HTTP request smuggling via quoted strings in chunked transfer encoding - **CVE-2025-67735**: DNS codec input validation bypass - **CVE-2026-42587**: HTTP/3 QPACK literal unbounded allocation - **CVE-2026-41417**: Epoll transport denial of service via RST on half-closed TCP connection - **CVE-2026-44248**: MQTT 5 decoder resource exhaustion ### Moderate Severity: - **CVE-2026-42585**: MQTT resource exhaustion in MqttDecoder - **CVE-2026-42584**: HTTP request smuggling due to malformed Transfer-Encoding - **CVE-2026-42581**: HTTP request smuggling due to incorrect chunk size parsing - **CVE-2026-42580**: CRLF injection in Netty Redis Codec Encoder - **CVE-2026-42582**: Additional HTTP codec vulnerabilities ### Low Severity: - **CVE-2026-33871**: HTTP header injection via HttpProxyHandler disabled validation ### Additional Fixes: - **CVE-2026-42586**: Additional resource consumption issues - **CVE-2025-59419**: Security improvements - **CVE-2026-42578**: Additional security fixes - **CVE-2026-42577**: Additional security fixes ## Changes - Updated \`netty4.version\` property from \`4.2.12.Final\` to \`4.2.14.Final\` in root \`pom.xml\` ## Verification All CVEs listed are fixed in Netty version 4.2.13.Final and later. Version 4.2.14.Final is the latest stable release as of May 2026. ## References - Netty Security Advisories: https://github.com/netty/netty/security/advisories - CVE Details: https://nvd.nist.gov/ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
