[PR] [hotfix][build] Bump netty to 4.2.13.Final (CVEs) [flink]

Thu, 07 May 2026 02:42:56 -0700 


spuru9 opened a new pull request, #28124:
URL: https://github.com/apache/flink/pull/28124

   ## What is the purpose of the change
   
   Bump `io.netty:netty-bom` from `4.2.12.Final` to `4.2.13.Final` to pick up 
CVE fixes for the Netty modules Flink actually uses (non-shaded scope).
   
   ## Brief change log
   
   - `pom.xml`: bump `netty-bom` 4.2.12.Final → 4.2.13.Final
   - Update matching `META-INF/NOTICE` entries in `flink-rpc-akka`, 
`flink-python`, and `flink-s3-fs-native` so `NoticeFileChecker` passes
   
   ## CVEs addressed
   
   Of the CVEs fixed in 4.2.13.Final, these apply to modules Flink imports:
   
   | CVE | Module |
   |---|---|
   | CVE-2026-41417 | netty-codec-http |
   | CVE-2026-42580 | netty-codec-http |
   | CVE-2026-42581 | netty-codec-http |
   | CVE-2026-42584 | netty-codec-http |
   | CVE-2026-42585 | netty-codec-http |
   | CVE-2026-42587 | netty-codec-http (http2 N/A) |
   | CVE-2026-42583 | netty-codec / netty-codec-compression |
   | CVE-2026-42577 | netty-transport-native-epoll |
   
   CVEs in `netty-codec-redis`, `netty-codec-dns`, `netty-codec-mqtt`, 
`netty-codec-http2`, `netty-codec-http3`, and `netty-handler-proxy` do not 
apply — those modules are not used by Flink.
   
   ## Scope
   
   Non-shaded only, mirroring the prior PR #28072 / FLINK-39580 split. The 
runtime networking path that flows through `flink-shaded-netty` requires a 
separate sync in that repo and is not addressed here.
   
   ## Verifying this change
   
   This change is a dependency version bump and is already covered by tests.
   
   - The build, unit tests, integration tests pass.
   
   ## Does this pull request potentially affect one of the following parts:
   
     - Dependencies (does it add or upgrade a dependency): **yes**
     - The public API, i.e., is any changed class annotated with 
`@Public(Evolving)`: no
     - The serializers: no
     - The runtime per-record code paths (performance sensitive): no
     - Anything that affects deployment or recovery: JobManager (and its 
components), Checkpointing, Kubernetes/Yarn, ZooKeeper: no
     - The S3 file system connector: no (NOTICE-only update)
   
   ## Documentation
   
     - Does this pull request introduce a new feature? no
     - If yes, how is the feature documented? not applicable
   
   ## AI Disclosure
   
   - [x] I confirm that AI agents (e.g. Cursor, Claude code, Github Copilot) 
were used in the process of creating this PR. Tool: Claude Code.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to