(pulsar) branch master updated: [fix][sec] Upgrade Netty to 4.1.133.Final to address CVEs (#25670)

lhotari Tue, 05 May 2026 02:17:07 -0700

This is an automated email from the ASF dual-hosted git repository.

lhotari pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git



The following commit(s) were added to refs/heads/master by this push:
     new a6a4678ebf1 [fix][sec] Upgrade Netty to 4.1.133.Final to address CVEs 
(#25670)
a6a4678ebf1 is described below

commit a6a4678ebf19a9af6b6161e9cd54304a3901373c
Author: Lari Hotari <[email protected]>
AuthorDate: Tue May 5 12:14:39 2026 +0300

    [fix][sec] Upgrade Netty to 4.1.133.Final to address CVEs (#25670)
---
 distribution/server/src/assemble/LICENSE.bin.txt | 54 ++++++++++++------------
 distribution/shell/src/assemble/LICENSE.bin.txt  | 52 +++++++++++------------
 gradle/libs.versions.toml                        |  4 +-
 3 files changed, 55 insertions(+), 55 deletions(-)

diff --git a/distribution/server/src/assemble/LICENSE.bin.txt 
b/distribution/server/src/assemble/LICENSE.bin.txt
index b9940dcc866..da5712293ed 100644
--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -293,33 +293,33 @@ The Apache Software License, Version 2.0
     - org.apache.commons-commons-lang3-3.20.0.jar
     - org.apache.commons-commons-text-1.14.0.jar
  * Netty
-    - io.netty-netty-buffer-4.1.132.Final.jar
-    - io.netty-netty-codec-4.1.132.Final.jar
-    - io.netty-netty-codec-dns-4.1.132.Final.jar
-    - io.netty-netty-codec-http-4.1.132.Final.jar
-    - io.netty-netty-codec-http2-4.1.132.Final.jar
-    - io.netty-netty-codec-socks-4.1.132.Final.jar
-    - io.netty-netty-codec-haproxy-4.1.132.Final.jar
-    - io.netty-netty-common-4.1.132.Final.jar
-    - io.netty-netty-handler-4.1.132.Final.jar
-    - io.netty-netty-handler-proxy-4.1.132.Final.jar
-    - io.netty-netty-resolver-4.1.132.Final.jar
-    - io.netty-netty-resolver-dns-4.1.132.Final.jar
-    - io.netty-netty-resolver-dns-classes-macos-4.1.132.Final.jar
-    - io.netty-netty-resolver-dns-native-macos-4.1.132.Final-osx-aarch_64.jar
-    - io.netty-netty-resolver-dns-native-macos-4.1.132.Final-osx-x86_64.jar
-    - io.netty-netty-transport-4.1.132.Final.jar
-    - io.netty-netty-transport-classes-epoll-4.1.132.Final.jar
-    - io.netty-netty-transport-native-epoll-4.1.132.Final-linux-aarch_64.jar
-    - io.netty-netty-transport-native-epoll-4.1.132.Final-linux-x86_64.jar
-    - io.netty-netty-transport-native-unix-common-4.1.132.Final.jar
-    - io.netty-netty-tcnative-boringssl-static-2.0.75.Final.jar
-    - io.netty-netty-tcnative-boringssl-static-2.0.75.Final-linux-aarch_64.jar
-    - io.netty-netty-tcnative-boringssl-static-2.0.75.Final-linux-x86_64.jar
-    - io.netty-netty-tcnative-boringssl-static-2.0.75.Final-osx-aarch_64.jar
-    - io.netty-netty-tcnative-boringssl-static-2.0.75.Final-osx-x86_64.jar
-    - io.netty-netty-tcnative-boringssl-static-2.0.75.Final-windows-x86_64.jar
-    - io.netty-netty-tcnative-classes-2.0.75.Final.jar
+    - io.netty-netty-buffer-4.1.133.Final.jar
+    - io.netty-netty-codec-4.1.133.Final.jar
+    - io.netty-netty-codec-dns-4.1.133.Final.jar
+    - io.netty-netty-codec-http-4.1.133.Final.jar
+    - io.netty-netty-codec-http2-4.1.133.Final.jar
+    - io.netty-netty-codec-socks-4.1.133.Final.jar
+    - io.netty-netty-codec-haproxy-4.1.133.Final.jar
+    - io.netty-netty-common-4.1.133.Final.jar
+    - io.netty-netty-handler-4.1.133.Final.jar
+    - io.netty-netty-handler-proxy-4.1.133.Final.jar
+    - io.netty-netty-resolver-4.1.133.Final.jar
+    - io.netty-netty-resolver-dns-4.1.133.Final.jar
+    - io.netty-netty-resolver-dns-classes-macos-4.1.133.Final.jar
+    - io.netty-netty-resolver-dns-native-macos-4.1.133.Final-osx-aarch_64.jar
+    - io.netty-netty-resolver-dns-native-macos-4.1.133.Final-osx-x86_64.jar
+    - io.netty-netty-transport-4.1.133.Final.jar
+    - io.netty-netty-transport-classes-epoll-4.1.133.Final.jar
+    - io.netty-netty-transport-native-epoll-4.1.133.Final-linux-aarch_64.jar
+    - io.netty-netty-transport-native-epoll-4.1.133.Final-linux-x86_64.jar
+    - io.netty-netty-transport-native-unix-common-4.1.133.Final.jar
+    - io.netty-netty-tcnative-boringssl-static-2.0.77.Final.jar
+    - io.netty-netty-tcnative-boringssl-static-2.0.77.Final-linux-aarch_64.jar
+    - io.netty-netty-tcnative-boringssl-static-2.0.77.Final-linux-x86_64.jar
+    - io.netty-netty-tcnative-boringssl-static-2.0.77.Final-osx-aarch_64.jar
+    - io.netty-netty-tcnative-boringssl-static-2.0.77.Final-osx-x86_64.jar
+    - io.netty-netty-tcnative-boringssl-static-2.0.77.Final-windows-x86_64.jar
+    - io.netty-netty-tcnative-classes-2.0.77.Final.jar
     - 
io.netty.incubator-netty-incubator-transport-classes-io_uring-0.0.26.Final.jar
     - 
io.netty.incubator-netty-incubator-transport-native-io_uring-0.0.26.Final-linux-x86_64.jar
     - 
io.netty.incubator-netty-incubator-transport-native-io_uring-0.0.26.Final-linux-aarch_64.jar
diff --git a/distribution/shell/src/assemble/LICENSE.bin.txt 
b/distribution/shell/src/assemble/LICENSE.bin.txt
index a4b39875910..3bd1c010290 100644
--- a/distribution/shell/src/assemble/LICENSE.bin.txt
+++ b/distribution/shell/src/assemble/LICENSE.bin.txt
@@ -345,35 +345,35 @@ The Apache Software License, Version 2.0
     - commons-text-1.14.0.jar
     - commons-compress-1.28.0.jar
  * Netty
-    - netty-buffer-4.1.132.Final.jar
-    - netty-codec-4.1.132.Final.jar
-    - netty-codec-dns-4.1.132.Final.jar
-    - netty-codec-http-4.1.132.Final.jar
-    - netty-codec-socks-4.1.132.Final.jar
-    - netty-codec-haproxy-4.1.132.Final.jar
-    - netty-common-4.1.132.Final.jar
-    - netty-handler-4.1.132.Final.jar
-    - netty-handler-proxy-4.1.132.Final.jar
-    - netty-resolver-4.1.132.Final.jar
-    - netty-resolver-dns-4.1.132.Final.jar
-    - netty-transport-4.1.132.Final.jar
-    - netty-transport-classes-epoll-4.1.132.Final.jar
-    - netty-transport-native-epoll-4.1.132.Final-linux-aarch_64.jar
-    - netty-transport-native-epoll-4.1.132.Final-linux-x86_64.jar
-    - netty-transport-native-unix-common-4.1.132.Final.jar
-    - netty-tcnative-boringssl-static-2.0.75.Final.jar
-    - netty-tcnative-boringssl-static-2.0.75.Final-linux-aarch_64.jar
-    - netty-tcnative-boringssl-static-2.0.75.Final-linux-x86_64.jar
-    - netty-tcnative-boringssl-static-2.0.75.Final-osx-aarch_64.jar
-    - netty-tcnative-boringssl-static-2.0.75.Final-osx-x86_64.jar
-    - netty-tcnative-boringssl-static-2.0.75.Final-windows-x86_64.jar
-    - netty-tcnative-classes-2.0.75.Final.jar
+    - netty-buffer-4.1.133.Final.jar
+    - netty-codec-4.1.133.Final.jar
+    - netty-codec-dns-4.1.133.Final.jar
+    - netty-codec-http-4.1.133.Final.jar
+    - netty-codec-socks-4.1.133.Final.jar
+    - netty-codec-haproxy-4.1.133.Final.jar
+    - netty-common-4.1.133.Final.jar
+    - netty-handler-4.1.133.Final.jar
+    - netty-handler-proxy-4.1.133.Final.jar
+    - netty-resolver-4.1.133.Final.jar
+    - netty-resolver-dns-4.1.133.Final.jar
+    - netty-transport-4.1.133.Final.jar
+    - netty-transport-classes-epoll-4.1.133.Final.jar
+    - netty-transport-native-epoll-4.1.133.Final-linux-aarch_64.jar
+    - netty-transport-native-epoll-4.1.133.Final-linux-x86_64.jar
+    - netty-transport-native-unix-common-4.1.133.Final.jar
+    - netty-tcnative-boringssl-static-2.0.77.Final.jar
+    - netty-tcnative-boringssl-static-2.0.77.Final-linux-aarch_64.jar
+    - netty-tcnative-boringssl-static-2.0.77.Final-linux-x86_64.jar
+    - netty-tcnative-boringssl-static-2.0.77.Final-osx-aarch_64.jar
+    - netty-tcnative-boringssl-static-2.0.77.Final-osx-x86_64.jar
+    - netty-tcnative-boringssl-static-2.0.77.Final-windows-x86_64.jar
+    - netty-tcnative-classes-2.0.77.Final.jar
     - netty-incubator-transport-classes-io_uring-0.0.26.Final.jar
     - netty-incubator-transport-native-io_uring-0.0.26.Final-linux-aarch_64.jar
     - netty-incubator-transport-native-io_uring-0.0.26.Final-linux-x86_64.jar
-    - netty-resolver-dns-classes-macos-4.1.132.Final.jar
-    - netty-resolver-dns-native-macos-4.1.132.Final-osx-aarch_64.jar
-    - netty-resolver-dns-native-macos-4.1.132.Final-osx-x86_64.jar
+    - netty-resolver-dns-classes-macos-4.1.133.Final.jar
+    - netty-resolver-dns-native-macos-4.1.133.Final-osx-aarch_64.jar
+    - netty-resolver-dns-native-macos-4.1.133.Final-osx-x86_64.jar
  * Prometheus client
     - simpleclient-0.16.0.jar
     - simpleclient_log4j2-0.16.0.jar
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index efbef5b4365..36f7ea252d4 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -25,7 +25,7 @@ checkstyle = "13.3.0"
 # Major frameworks
 bookkeeper = "4.17.3"
 zookeeper = "3.9.5"
-netty = "4.1.132.Final"
+netty = "4.1.133.Final"
 netty-iouring = "0.0.26.Final"
 jetty = "12.1.8"
 jersey = "2.42"
@@ -71,7 +71,7 @@ asynchttpclient = "2.14.5"
 conscrypt = "2.5.2"
 okhttp3 = "5.3.1"
 okio = "3.16.3"
-netty-tcnative = "2.0.75.Final"
+netty-tcnative = "2.0.77.Final"
 httpcomponents-httpclient = "4.5.13"
 httpcomponents-httpcore = "4.4.15"
 # Google libraries (transitive deps, versions managed to match Maven)

(pulsar) branch master updated: [fix][sec] Upgrade Netty to 4.1.133.Final to address CVEs (#25670)

Reply via email to