dependabot[bot] opened a new pull request, #67: URL: https://github.com/apache/qpid-jms/pull/67
Bumps [io.netty:netty-handler](https://github.com/netty/netty) from 4.1.133.Final to 4.1.135.Final. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/netty/netty/releases";>io.netty:netty-handler's releases</a>.</em></p> <blockquote> <h2>netty-4.1.135.Final</h2> <h2>Security fixes</h2> <ul> <li><a href="https://github.com/netty/netty/security/advisories/GHSA-h2qv-fj59-j46j";>CVE-2026-48059</a>: memory exhaustion in <code>io.netty:netty-codec-haproxy</code> (high).</li> <li><a href="https://github.com/netty/netty/security/advisories/GHSA-5pvg-856g-cp85";>CVE-2026-47691</a>: DNS cache poisoning in <code>io.netty:netty-resolver-dns</code> (high).</li> <li><a href="https://github.com/netty/netty/security/advisories/GHSA-563q-j3cm-6jxm";>CVE-2026-50560</a>: DDoS in <code>io.netty:netty-codec-http2</code>.</li> <li><a href="https://github.com/netty/netty/security/advisories/GHSA-5w86-c3rq-vjj7";>CVE-2026-50011</a>: memory exhaustion in <code>io.netty:netty-codec-redis</code> (high).</li> <li><a href="https://github.com/netty/netty/security/advisories/GHSA-3244-j874-rhc2";>CVE-2026-44250</a>: memory exhaustion in <code>io.netty:netty-codec-redis</code> (high).</li> <li><a href="https://github.com/netty/netty/security/advisories/GHSA-6ghj-frrj-jjj3";>CVE-2026-44890</a>: memory exhaustion in <code>io.netty:netty-codec-redis</code> (high).</li> <li><a href="https://github.com/netty/netty/security/advisories/GHSA-3qp7-7mw8-wx86";>CVE-2026-44249</a>: IPv6 subnet filter bypass in <code>io.netty:netty-handler</code> (high).</li> <li><a href="https://github.com/netty/netty/security/advisories/GHSA-hvcg-qmg6-jm4c";>CVE-2026-50020</a>: request smuggling in <code>io.netty:netty-codec-http</code>.</li> <li><a href="https://github.com/netty/netty/security/advisories/GHSA-cc37-9q2j-3hfv";>CVE-2026-44893</a>: memory leak in <code>io.netty:netty-codec-haproxy</code> (high).</li> <li><a href="https://github.com/netty/netty/security/advisories/GHSA-c653-97m9-rcg9";>CVE-2026-50010</a>: TLS hostname verification accidentally disabled in <code>io.netty:netty-handler</code> (high).</li> <li><a href="https://github.com/netty/netty/security/advisories/GHSA-xmv7-r254-6q78";>CVE-2026-45673</a>: DNS cache poisoning in <code>io.netty:netty-resolver-dns</code>.</li> <li><a href="https://github.com/netty/netty/security/advisories/GHSA-x4gw-5cx5-pgmh";>CVE-2026-45416</a>: excessive memory usage from SNIHandler in <code>io.netty:netty-handler</code> (high).</li> <li><a href="https://github.com/netty/netty/security/advisories/GHSA-w573-9ffj-6ff9";>CVE-2026-45536</a>: file descriptor leak in <code>io.netty:netty-transport-native-epoll</code> and <code>io.netty:netty-transport-native-kqueue</code>.</li> <li><a href="https://github.com/netty/netty/security/advisories/GHSA-676x-f7gg-47vc";>CVE-2026-45674</a>: DNS cache poisoning in <code>io.netty:netty-resolver-dns</code> (high).</li> <li><a href="https://github.com/netty/netty/security/advisories/GHSA-5xrh-qmmq-w6ch";>CVE-2026-46340</a>: memory exhaustion in <code>io.netty:netty-transport-sctp</code> (high).</li> <li><a href="https://github.com/netty/netty/security/advisories/GHSA-5x3r-wrvg-rp6q";>CVE-2026-47244</a>: denial of service in <code>io.netty:netty-codec-http2</code>.</li> <li><a href="https://github.com/netty/netty/security/advisories/GHSA-6jv9-x5w9-2ccm";>CVE-2026-48006</a>: memory exhaustion in <code>io.netty:netty-codec-redis</code> (high).</li> <li><a href="https://github.com/netty/netty/security/advisories/GHSA-c2gf-v879-257j";>CVE-2026-48043</a>: memory exhaustion in <code>io.netty:netty-codec-http2</code>.</li> </ul> <h2>What's Changed</h2> <ul> <li>Auto-port 4.1: MQTT: Allow MQTT 5 CONNECT with password only by <a href="https://github.com/netty-project-bot";><code>@netty-project-bot</code></a> in <a href="https://redirect.github.com/netty/netty/pull/16834";>netty/netty#16834</a></li> <li>ChannelInitializer: correct misleading comment on exceptionCaught route by <a href="https://github.com/daguimu";><code>@daguimu</code></a> in <a href="https://redirect.github.com/netty/netty/pull/16847";>netty/netty#16847</a></li> <li>HTTP/2: Parse request-target path like Vert.x (4.1 backport) by <a href="https://github.com/yawkat";><code>@yawkat</code></a> in <a href="https://redirect.github.com/netty/netty/pull/16856";>netty/netty#16856</a></li> <li>HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted by <a href="https://github.com/normanmaurer";><code>@normanmaurer</code></a> in <a href="https://redirect.github.com/netty/netty/pull/16861";>netty/netty#16861</a></li> <li>IpSubnetFilter: Correctly handle ipv6 by <a href="https://github.com/normanmaurer";><code>@normanmaurer</code></a> in <a href="https://redirect.github.com/netty/netty/pull/16860";>netty/netty#16860</a></li> <li>Configurable bound on RedisArrayAggregator by <a href="https://github.com/normanmaurer";><code>@normanmaurer</code></a> in <a href="https://redirect.github.com/netty/netty/pull/16858";>netty/netty#16858</a></li> <li>Redis: Limit decoded length by <a href="https://github.com/normanmaurer";><code>@normanmaurer</code></a> in <a href="https://redirect.github.com/netty/netty/pull/16859";>netty/netty#16859</a></li> <li>DNS: Ensure query id is not predictible by <a href="https://github.com/normanmaurer";><code>@normanmaurer</code></a> in <a href="https://redirect.github.com/netty/netty/pull/16870";>netty/netty#16870</a></li> <li>Wrapping plain trust manager silently disables hostname verification by <a href="https://github.com/normanmaurer";><code>@normanmaurer</code></a> in <a href="https://redirect.github.com/netty/netty/pull/16868";>netty/netty#16868</a></li> <li>MQTT: Reject malformed no-payload packets with non-zero Remaining Length by <a href="https://github.com/daguimu";><code>@daguimu</code></a> in <a href="https://redirect.github.com/netty/netty/pull/16852";>netty/netty#16852</a></li> <li>Fix revapi warnings (<a href="https://redirect.github.com/netty/netty/issues/16885";>#16885</a>) by <a href="https://github.com/chrisvest";><code>@chrisvest</code></a> in <a href="https://redirect.github.com/netty/netty/pull/16892";>netty/netty#16892</a></li> <li>HAProxy: Reject HAProxyMessages with malformated TLV and not leak memory by <a href="https://github.com/normanmaurer";><code>@normanmaurer</code></a> in <a href="https://redirect.github.com/netty/netty/pull/16866";>netty/netty#16866</a></li> <li>SSL: Use sane defaults as limits for the client hello length and timeout by <a href="https://github.com/normanmaurer";><code>@normanmaurer</code></a> in <a href="https://redirect.github.com/netty/netty/pull/16871";>netty/netty#16871</a></li> <li>DNS: Only cache CNAME if part of the queried domain by <a href="https://github.com/normanmaurer";><code>@normanmaurer</code></a> in <a href="https://redirect.github.com/netty/netty/pull/16873";>netty/netty#16873</a></li> <li>HTTP/2: Enforce max concurrent streams for misbehaving clients by <a href="https://github.com/normanmaurer";><code>@normanmaurer</code></a> in <a href="https://redirect.github.com/netty/netty/pull/16876";>netty/netty#16876</a></li> <li>Dns: Insufficient Bailiwick Validation for NS Records by <a href="https://github.com/normanmaurer";><code>@normanmaurer</code></a> in <a href="https://redirect.github.com/netty/netty/pull/16877";>netty/netty#16877</a></li> <li>HTTP2: DelegatingDecompressorFrameListener must release memory in all cases by <a href="https://github.com/normanmaurer";><code>@normanmaurer</code></a> in <a href="https://redirect.github.com/netty/netty/pull/16880";>netty/netty#16880</a></li> <li>Pass maxAllocation to Brotli and Zstd decoders (<a href="https://redirect.github.com/netty/netty/issues/16844";>#16844</a>) by <a href="https://github.com/chrisvest";><code>@chrisvest</code></a> in <a href="https://redirect.github.com/netty/netty/pull/16886";>netty/netty#16886</a></li> <li>HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory by <a href="https://github.com/normanmaurer";><code>@normanmaurer</code></a> in <a href="https://redirect.github.com/netty/netty/pull/16883";>netty/netty#16883</a></li> <li>Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by <a href="https://github.com/netty-project-bot";><code>@netty-project-bot</code></a> in <a href="https://redirect.github.com/netty/netty/pull/16894";>netty/netty#16894</a></li> <li>HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs by <a href="https://github.com/normanmaurer";><code>@normanmaurer</code></a> in <a href="https://redirect.github.com/netty/netty/pull/16881";>netty/netty#16881</a></li> <li>Epoll / Kqueue: Correctly handle receive of FD by <a href="https://github.com/normanmaurer";><code>@normanmaurer</code></a> in <a href="https://redirect.github.com/netty/netty/pull/16872";>netty/netty#16872</a></li> <li>SCTP: Limit the number of inflight incomplete SCTP messages and the number of fragments by <a href="https://github.com/normanmaurer";><code>@normanmaurer</code></a> in <a href="https://redirect.github.com/netty/netty/pull/16875";>netty/netty#16875</a></li> <li>Redis: Correctly release incomplete message on removal when using RedisArrayAggregator by <a href="https://github.com/normanmaurer";><code>@normanmaurer</code></a> in <a href="https://redirect.github.com/netty/netty/pull/16878";>netty/netty#16878</a></li> <li>Redis: Limit the maximum number of nested arrays by <a href="https://github.com/normanmaurer";><code>@normanmaurer</code></a> in <a href="https://redirect.github.com/netty/netty/pull/16882";>netty/netty#16882</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/netty/netty/compare/netty-4.1.134.Final...netty-4.1.135.Final";>https://github.com/netty/netty/compare/netty-4.1.134.Final...netty-4.1.135.Final</a></p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/netty/netty/commit/f05f765d81460799c53123a207f665bf3b465171";><code>f05f765</code></a> [maven-release-plugin] prepare release netty-4.1.135.Final</li> <li><a href="https://github.com/netty/netty/commit/728c98b8ec6597faaccebdc20bf757d6f4b6310b";><code>728c98b</code></a> Redis: Limit the maximum number of nested arrays (<a href="https://redirect.github.com/netty/netty/issues/16882";>#16882</a>)</li> <li><a href="https://github.com/netty/netty/commit/ced30adba26730f0c004c828f607059a050fefb1";><code>ced30ad</code></a> Redis: Correctly release incomplete message on removal when using RedisArrayA...</li> <li><a href="https://github.com/netty/netty/commit/cef5395186369f6bf7a8caac34e4de1596ba9f15";><code>cef5395</code></a> SCTP: Limit the number of inflight incomplete SCTP messages and the number of...</li> <li><a href="https://github.com/netty/netty/commit/652663cb50c3be6378969be2cf84472743e0109f";><code>652663c</code></a> Epoll / Kqueue: Correctly handle receive of FD (<a href="https://redirect.github.com/netty/netty/issues/16872";>#16872</a>)</li> <li><a href="https://github.com/netty/netty/commit/bd6214fe1c3bae1d42aad6e372657b5b2c1f5105";><code>bd6214f</code></a> HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs (<a href="https://redirect.github.com/netty/netty/issues/16881";>#16881</a>)</li> <li><a href="https://github.com/netty/netty/commit/d7f9069d9e966e0f426429b18973417af066e3d4";><code>d7f9069</code></a> Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allo...</li> <li><a href="https://github.com/netty/netty/commit/b831454889b20776be6a73daad329404c4682e94";><code>b831454</code></a> HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory (<a href="https://redirect.github.com/netty/netty/issues/16883";>#16883</a>)</li> <li><a href="https://github.com/netty/netty/commit/51260aa57e8e9538d31083624226afd793cc675f";><code>51260aa</code></a> Pass maxAllocation to Brotli and Zstd decoders (<a href="https://redirect.github.com/netty/netty/issues/16844";>#16844</a>) (<a href="https://redirect.github.com/netty/netty/issues/16886";>#16886</a>)</li> <li><a href="https://github.com/netty/netty/commit/db6138b168699736a6463c367e12ad0a4c36a25e";><code>db6138b</code></a> HTTP2: DelegatingDecompressorFrameListener must release memory in all cases (...</li> <li>Additional commits viewable in <a href="https://github.com/netty/netty/compare/netty-4.1.133.Final...netty-4.1.135.Final";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/qpid-jms/network/alerts). </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
