Skip to content

UID2-7251: bump netty to 4.1.135.Final to fix 4 HIGH CVEs#2593

Merged
swibi-ttd merged 1 commit into
mainfrom
swi-UID2-7251-netty-4.1.135
Jun 9, 2026
Merged

UID2-7251: bump netty to 4.1.135.Final to fix 4 HIGH CVEs#2593
swibi-ttd merged 1 commit into
mainfrom
swi-UID2-7251-netty-4.1.135

Conversation

@swibi-ttd

@swibi-ttd swibi-ttd commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

What

Bumps netty.version from 4.1.133.Final4.1.135.Final in the operator pom.

Why

The Trivy scan in the operator publish workflows (e.g. publish-azure-cc-enclave-docker) fails on 4 HIGH netty CVEs in the operator jar:

Library CVE Fixed in
io.netty:netty-handler CVE-2026-44249 (IPv6 subnet filter bypass) 4.1.135.Final
io.netty:netty-handler CVE-2026-45416 (SNI handler 16 MiB pre-alloc) 4.1.135.Final
io.netty:netty-resolver-dns CVE-2026-45674 (DNS cache poisoning) 4.1.135.Final
io.netty:netty-resolver-dns CVE-2026-47691 (insufficient bailiwick validation) 4.1.135.Final

The operator pins netty directly via the netty.version property + netty-bom import, so it does not inherit the version from uid2-shared — the bump has to happen here. uid2-shared PR #614 bumped netty to 4.1.133.Final, which is below the fix version and does not clear the scan.

Verification

  • mvn dependency:tree -Dincludes=io.netty confirms all netty-4.1.x artifacts resolve to 4.1.135.Final (netty-bom forces them).
  • mvn clean compile → BUILD SUCCESS against Vert.x 4.5.21.
  • These are the only 4 vulns in the scan (alpine OS, sources jar, and all python-pkg targets report 0), so this clears the scan entirely.

🤖 Generated with Claude Code

@swibi-ttd @claude
UID2-7251: bump netty to 4.1.135.Final to fix 4 HIGH CVEs
ac5aae3 
The Trivy scan in publish-azure-cc-enclave-docker (and all operator
publishes) fails on 4 HIGH netty CVEs in the operator jar:

  io.netty:netty-handler      CVE-2026-44249, CVE-2026-45416
  io.netty:netty-resolver-dns CVE-2026-45674, CVE-2026-47691

All four are fixed in netty 4.1.135.Final. The operator pins netty
directly via the netty.version property + netty-bom import, so it does
not inherit the version from uid2-shared; the bump must be made here.

uid2-shared PR #614 bumped netty to 4.1.133.Final, which is below the
4.1.135.Final fix version for these CVEs and so does not clear the scan.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@swibi-ttd swibi-ttd mentioned this pull request Jun 9, 2026
Merged
@swibi-ttd swibi-ttd reopened this Jun 9, 2026
@swibi-ttd swibi-ttd merged commit 099936d into main Jun 9, 2026
11 checks passed
@swibi-ttd swibi-ttd deleted the swi-UID2-7251-netty-4.1.135 branch June 9, 2026 04:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BehnamMozafari BehnamMozafari BehnamMozafari approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@swibi-ttd @BehnamMozafari