Skip to content

[hotfix][build] Bump netty to 4.2.13.Final (CVEs)#28124

Open
spuru9 wants to merge 1 commit intoapache:masterfrom
spuru9:bump-netty-4.2.13-cve
Open

[hotfix][build] Bump netty to 4.2.13.Final (CVEs)#28124
spuru9 wants to merge 1 commit intoapache:masterfrom
spuru9:bump-netty-4.2.13-cve

Conversation

@spuru9
Copy link
Copy Markdown
Contributor

@spuru9 spuru9 commented May 7, 2026

What is the purpose of the change

Bump io.netty:netty-bom from 4.2.12.Final to 4.2.13.Final to pick up CVE fixes for the Netty modules Flink actually uses (non-shaded scope).

Brief change log

  • pom.xml: bump netty-bom 4.2.12.Final → 4.2.13.Final
  • Update matching META-INF/NOTICE entries in flink-rpc-akka, flink-python, and flink-s3-fs-native so NoticeFileChecker passes

CVEs addressed

Of the CVEs fixed in 4.2.13.Final, these apply to modules Flink imports:

CVE Module
CVE-2026-41417 netty-codec-http
CVE-2026-42580 netty-codec-http
CVE-2026-42581 netty-codec-http
CVE-2026-42584 netty-codec-http
CVE-2026-42585 netty-codec-http
CVE-2026-42587 netty-codec-http (http2 N/A)
CVE-2026-42583 netty-codec / netty-codec-compression
CVE-2026-42577 netty-transport-native-epoll

CVEs in netty-codec-redis, netty-codec-dns, netty-codec-mqtt, netty-codec-http2, netty-codec-http3, and netty-handler-proxy do not apply — those modules are not used by Flink.

Scope

Non-shaded only, mirroring the prior PR #28072 / FLINK-39580 split. The runtime networking path that flows through flink-shaded-netty requires a separate sync in that repo and is not addressed here.

Verifying this change

This change is a dependency version bump and is already covered by tests.

  • The build, unit tests, integration tests pass.

Does this pull request potentially affect one of the following parts:

  • Dependencies (does it add or upgrade a dependency): yes
  • The public API, i.e., is any changed class annotated with @Public(Evolving): no
  • The serializers: no
  • The runtime per-record code paths (performance sensitive): no
  • Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: no
  • The S3 file system connector: no (NOTICE-only update)

Documentation

  • Does this pull request introduce a new feature? no
  • If yes, how is the feature documented? not applicable

AI Disclosure

  • I confirm that AI agents (e.g. Cursor, Claude code, Github Copilot) were used in the process of creating this PR. Tool: Claude Code.

@spuru9
[hotfix][build] Bump netty to 4.2.13.Final (CVEs)
40bc8d0 
Bumps io.netty:netty-bom from 4.2.12.Final to 4.2.13.Final to pick up
fixes for the netty modules Flink uses directly:

  - netty-codec-http: CVE-2026-41417, CVE-2026-42580, CVE-2026-42581,
    CVE-2026-42584, CVE-2026-42585, CVE-2026-42587
  - netty-codec / netty-codec-compression: CVE-2026-42583
  - netty-transport-native-epoll: CVE-2026-42577

Updates the matching META-INF/NOTICE entries in flink-rpc-akka,
flink-python, and flink-s3-fs-native to satisfy NoticeFileChecker.

Scope is non-shaded only (mirrors PR apache#28072 / FLINK-39580); the
flink-shaded-netty sync is a separate follow-up.
@flinkbot
Copy link
Copy Markdown
Collaborator

flinkbot commented May 7, 2026
edited
Loading

CI report:

Bot commands The @flinkbot bot supports the following commands:
  • @flinkbot run azure re-run the last Azure build

@spuru9
Copy link
Copy Markdown
Contributor Author

spuru9 commented May 7, 2026

@snuyanzin a minor netty bump for some vulnerabilities fixes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@spuru9 @flinkbot