[PR] CVE netty upgrade [james-project]

[via GitHub]

lfurman opened a new pull request, #3026:
URL: https://github.com/apache/james-project/pull/3026

   ## Motivation
   
   `netty.version 4.1.126.Final` is affected by two HIGH-severity CVEs:
   
   - CVE-2026-33871
   - CVE-2026-33870
   
   Both are fixed in `4.1.132.Final`.
   
   ## Changes
   
   | Dependency | From | To |
   |---|---|---|
   | `netty.version` | `4.1.126.Final` | `4.1.132.Final` |
   | `lettuce.core.version` | `6.7.1.RELEASE` | `6.8.2.RELEASE` |
   | `reactor-bom` | `2024.0.10` | `2024.0.17` |
   | `s3-sdk.version` (blob-s3) | `2.33.5` | `2.42.34` |
   
   `lettuce-core` (the Redis client) uses Netty internally, so it is bumped
   alongside Netty to keep both on a consistent Netty runtime.
   `reactor-bom` and `s3-sdk` are bumped to their latest stable releases as
   part of the same dependency maintenance pass.
   
   ## Testing
   
   1. Build the distributed-app module:
   ```
    mvn clean package -DskipTests -pl server/apps/distributed-app -am 
   ```
   
   2. Check the version of the netty libraries in the output directory:
   ```
   ls server/apps/distributed-app/target/james-server-distributed-app.lib | 
grep netty | sort
   ```
   
   Output:
   ```
   james-server-guice-netty-3.10.0-SNAPSHOT.jar
   netty-buffer-4.1.132.Final.jar
   netty-codec-4.1.132.Final.jar
   netty-codec-dns-4.1.132.Final.jar
   netty-codec-haproxy-4.1.132.Final.jar
   netty-codec-http-4.1.132.Final.jar
   netty-codec-http2-4.1.132.Final.jar
   netty-codec-socks-4.1.132.Final.jar
   netty-common-4.1.132.Final.jar
   netty-handler-4.1.132.Final.jar
   netty-handler-proxy-4.1.132.Final.jar
   netty-nio-client-2.42.34.jar
   netty-resolver-4.1.132.Final.jar
   netty-resolver-dns-4.1.132.Final.jar
   netty-resolver-dns-classes-macos-4.1.132.Final.jar
   netty-resolver-dns-native-macos-4.1.132.Final-osx-x86_64.jar
   netty-transport-4.1.132.Final.jar
   netty-transport-classes-epoll-4.1.132.Final.jar
   netty-transport-native-epoll-4.1.132.Final-linux-x86_64.jar
   netty-transport-native-epoll-4.1.132.Final.jar
   netty-transport-native-unix-common-4.1.132.Final.jar
   protocols-netty-3.10.0-SNAPSHOT.jar
   reactor-netty-1.2.17.jar
   reactor-netty-core-1.2.17.jar
   reactor-netty-http-1.2.17.jar
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org
For additional commands, e-mail: notifications-h...@james.apache.org