What is the purpose of the change

Bump io.netty:netty-bom from 4.2.12.Final to 4.2.13.Final to pick up CVE fixes for the Netty modules Flink actually uses (non-shaded scope).

Brief change log

• pom.xml: bump netty-bom 4.2.12.Final → 4.2.13.Final
• Update matching META-INF/NOTICE entries in flink-rpc-akka, flink-python, and flink-s3-fs-native so NoticeFileChecker passes

CVEs addressed

Of the CVEs fixed in 4.2.13.Final, these apply to modules Flink imports:

CVEs in netty-codec-redis, netty-codec-dns, netty-codec-mqtt, netty-codec-http2, netty-codec-http3, and netty-handler-proxy do not apply — those modules are not used by Flink.

Scope

Non-shaded only, mirroring the prior PR #28072 / FLINK-39580 split. The runtime networking path that flows through flink-shaded-netty requires a separate sync in that repo and is not addressed here.

Verifying this change

This change is a dependency version bump and is already covered by tests.

• The build, unit tests, integration tests pass.

Does this pull request potentially affect one of the following parts:

• Dependencies (does it add or upgrade a dependency): yes
• The public API, i.e., is any changed class annotated with @Public(Evolving): no
• The serializers: no
• The runtime per-record code paths (performance sensitive): no
• Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: no
• The S3 file system connector: no (NOTICE-only update)

Documentation

• Does this pull request introduce a new feature? no
• If yes, how is the feature documented? not applicable

AI Disclosure

• I confirm that AI agents (e.g. Cursor, Claude code, Github Copilot) were used in the process of creating this PR. Tool: Claude Code.