Skip to content

Update netty.version to 4.2.11.Final #155

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sanjomo wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update netty.version to 4.2.11.Final #155

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<testcontainers.version>2.0.3</testcontainers.version>
<netty.version>4.2.9.Final</netty.version>
<netty.version>4.2.11.Final</netty.version>
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify Netty 4.2.11.Final exists on Maven Central and check for security advisories

# Check if the version exists on Maven Central
echo "=== Checking Maven Central for netty-common 4.2.11.Final ==="
curl -s "https://repo1.maven.org/maven2/io/netty/netty-common/4.2.11.Final/netty-common-4.2.11.Final.pom" | head -20

# Check for security vulnerabilities using GitHub advisory database
echo ""
echo "=== Checking GitHub Security Advisories for Netty ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: MAVEN, package: "io.netty:netty-common") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: socketio4j/netty-socketio

Length of output: 1087

🌐 Web query:

Netty 4.2.11.Final release notes security fixes

💡 Result:

Netty 4.2.11.Final was released on March 24 or 25, 2026. It includes security fixes for two vulnerabilities: - CVE-2026-33871: HTTP/2 CONTINUATION Frame Flood Denial of Service (GHSA-w9fj-cfpg-grvv) - CVE-2026-33870: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing (GHSA-pwqr-wmgm-9rr8) These are listed under the "Security" section of the release notes on GitHub and newreleases.io. The release also contains various bug fixes and improvements, such as updates to JDK 26 EA, HTTP/3 support enhancements, fixes for epoll and IoUring issues, OpenSSL improvements, and more. Full changelog is available at netty/netty@netty-4.2.10.Final...netty-4.2.11.Final. No dedicated release notes page on netty.io/news/ for this version was found; recent announcements appear to be on GitHub tags and third-party release trackers.

Citations:

🌐 Web query:

Netty 4.2.10.Final 4.2.11.Final changelog changes

💡 Result:

Netty 4.2.11.Final was released on March 24-25, 2026. There is no dedicated release announcement on netty.io/news for this version (unlike 4.2.10.Final on Feb 5, 2026). The changes from 4.2.10.Final to 4.2.11.Final are detailed in the GitHub release changelog. Key changes include: Security: CVE-2026-33871 (HTTP/2 CONTINUATION Frame Flood DoS), CVE-2026-33870 (HTTP Request Smuggling). Notable fixes and improvements: - Update to latest JDK 26 EA (#16230) - HTTP3: non-standard settings support (#16171) - Epoll: Fix CPU usage when channel registered but no I/O (#162xx) - Avoid allocation in HttpObjectEncoder (#16241) - HTTP2: padding in decompress (#16264) - AdaptivePoolingAllocator fixes (#164xx, #165xx) - Enforce maxDirectMemory on all Java versions (#16489) - Limit Continuation frames in HTTP/2 Headers (#16536, auto-port) - IoUring, Kqueue, native transport fixes - OpenSSL, QUIC, DNS resolver improvements - Various cleanups, benchmarks, new contributors Full list in GitHub changelog: netty-4.2.10.Final...netty-4.2.11.Final. For 4.2.10.Final release notes (prior version): Bug-fix release fixing regression from 4.2.9.Final. Key changes: IORING_OP_SENDMSG_ZC reimplement (#16130), DNS MX RDATA decompress (#16040), adaptive allocator enhancements (#16053, #15741), NioDatagramChannel fix (#16044), QUIC limits (#16117), SslHandler resume fix (#16144), etc.

Citations:

🌐 Web query:

Netty CVE security advisory 4.2.9 4.2.10 4.2.11

💡 Result:

Netty versions 4.2.9.Final, 4.2.10.Final, and 4.2.11.Final (assuming sequential release) are recent bug-fix releases with no directly assigned CVEs fixed in their release notes. However, they follow security fixes in prior versions: - 4.2.8.Final (Dec 2025): Fixes CVE-2025-67735 (CRLF injection in HttpRequestEncoder leading to request smuggling; affects <4.2.8.Final. GHSA-84h7-rjj3-6jx4, CVSS 6.5 Medium). - 4.2.7.Final (Oct 2025): Fixes CVE-2025-59419 (SMTP command injection). - 4.2.5.Final (Sep 2025): Fixes request smuggling via chunk extensions (CVE-2025-58056, GHSA-fghv-69vj-qj49). - Earlier: CVE-2025-55163 (HTTP/2 MadeYouReset DDoS, fixed in 4.2.4.Final). These versions inherit all prior security fixes and address regressions/bugs, but no new CVEs are explicitly mentioned for 4.2.9-4.2.11. Upgrade to latest (4.2.10.Final as of Feb 2026) for security. Official advisories: https://github.com/netty/netty/security.

Citations:

Upgrade to 4.2.11.Final is justified—include security fixes in PR description.

Version 4.2.11.Final exists and includes two important security fixes:

Along with bug fixes for epoll, IoUring, HTTP/3, and OpenSSL, this justifies the upgrade from 4.2.9.Final. The patch-level update maintains backward compatibility while propagating fixes to all Netty artifacts via the ${netty.version} property.

Document these security fixes in the PR description to clarify the upgrade motivation for reviewers.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@pom.xml` at line 68, The PR updates the Netty version property
(<netty.version>4.2.11.Final</netty.version>) but the description lacks the
security rationale; update the PR description to state that this is a
patch-level upgrade from 4.2.9.Final to 4.2.11.Final and explicitly list the two
security fixes (CVE-2026-33871 and CVE-2026-33870) plus the related bugfixes
(epoll, IoUring, HTTP/3, OpenSSL) so reviewers understand the motivation and
that the change is safe because it’s propagated via the netty.version property.

<jmockit.version>1.50</jmockit.version>
<byte-buddy.version>1.18.4</byte-buddy.version>
<junit.version>6.0.2</junit.version>
Expand Down
Loading