kevinjqliu opened a new pull request, #16290:
URL: https://github.com/apache/iceberg/pull/16290
Closes #16286.
Closes #16288.
## Changes
Bump `awssdk-bom` from 2.44.0 to 2.44.4 and add global dependency
overrides to fix CVEs in transitive dependencies that upstream libraries
have not yet updated.
### Version bump
- `awssdk-bom`: 2.44.0 → 2.44.4 (brings Netty 4.1.133.Final natively)
### Forced overrides
- **Netty 4.1.x → 4.1.133.Final**: `eachDependency` rule forces all
Netty 4.1.x transitive deps (from Azure SDK 1.3.6, Hadoop 3.4.3) to
4.1.133.Final. Fixes CVE-2026-42579, CVE-2026-42583, CVE-2026-42584,
CVE-2026-42587.
- **BouncyCastle → 1.84**: `dependencySubstitution` overrides bcprov
1.82 pulled by Hadoop. Fixes CVE-2026-5598.
### Verified clean (0 HIGH/CRITICAL findings)
aws-bundle, gcp-bundle, spark-3.5, spark-4.0, spark-4.1, flink-1.20,
flink-2.0, flink-2.1
### Known unfixable
| CVE | Distributions | Package | Reason |
|-----|---------------|---------|--------|
| CVE-2026-42577 | kafka-connect, azure-bundle, open-api |
`[email protected]` | Fix only in 4.2.13.Final (major
version line change). No 4.1.x patch exists. |
| CVE-2025-52999 | spark-3.4 | `[email protected]` | Pinned to 2.14.2 for
Spark 3.4 compatibility. Fix requires 2.15.0+. |
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
