From 1af110a839ebaa645cdddafa580031b5535ddda3 Mon Sep 17 00:00:00 2001
From: Behnam Mozafari <behnam.mozafari@thetradedesk.com>
Date: Tue, 31 Mar 2026 11:55:19 +1100
Subject: [PATCH 1/2] Upgrade Netty to 4.1.132.Final to fix CVE-2026-33870 and
 CVE-2026-33871

Add Netty BOM to dependencyManagement to override the vulnerable transitive
Netty version (~4.1.115.Final) pulled in by Vert.x 4.5.21.

- CVE-2026-33870: HTTP request smuggling via chunked extension parsing (CVSS 7.5)
- CVE-2026-33871: HTTP/2 DoS via CONTINUATION frame flood (CVSS 8.7)

See: UID2-6837

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 pom.xml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/pom.xml b/pom.xml
index 5188ee14a..85a91ad1a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -28,6 +28,7 @@
         <maven.compiler.source>21</maven.compiler.source>
         <maven.compiler.target>21</maven.compiler.target>
         <java.version>21</java.version>
+        <netty.version>4.1.132.Final</netty.version>
     </properties>
 
 
@@ -45,6 +46,18 @@
         </repository>
     </repositories>
 
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>io.netty</groupId>
+                <artifactId>netty-bom</artifactId>
+                <version>${netty.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
     <dependencies>
         <dependency>
             <groupId>com.google.guava</groupId>

From 9d398d72830b89fc0057e81ea2b3b044ebb9e020 Mon Sep 17 00:00:00 2001
From: Behnam Mozafari <behnam.mozafari@thetradedesk.com>
Date: Tue, 31 Mar 2026 14:33:18 +1100
Subject: [PATCH 2/2] Update uid2-shared to 11.4.16

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 85a91ad1a..9f2a75e10 100644
--- a/pom.xml
+++ b/pom.xml
@@ -23,7 +23,7 @@
         <enclave-aws.version>2.1.0</enclave-aws.version>
         <enclave-azure.version>2.1.19</enclave-azure.version> 
         <enclave-gcp.version>2.1.9</enclave-gcp.version> 
-        <uid2-shared.version>11.4.12</uid2-shared.version>
+        <uid2-shared.version>11.4.16</uid2-shared.version>
         <image.version>${project.version}</image.version>
         <maven.compiler.source>21</maven.compiler.source>
         <maven.compiler.target>21</maven.compiler.target>