Skip to content

Bump io.netty:netty-transport-native-epoll from 4.1.132.Final to 4.1.135.Final#38

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/io.netty-netty-transport-native-epoll-4.1.135.Final
Closed

Bump io.netty:netty-transport-native-epoll from 4.1.132.Final to 4.1.135.Final#38
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/io.netty-netty-transport-native-epoll-4.1.135.Final

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 4, 2026

Copy link
Copy Markdown
Contributor

Bumps io.netty:netty-transport-native-epoll from 4.1.132.Final to 4.1.135.Final.

Release notes

Sourced from io.netty:netty-transport-native-epoll's releases.

netty-4.1.135.Final

Security fixes

  • CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
  • CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
  • CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2.
  • CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
  • CVE-2026-XXXXX: request smuggling in io.netty:netty-codec-http.
  • CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
  • CVE-2026-XXXXX: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
  • CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
  • CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
  • CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
  • CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
  • CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
  • CVE-2026-47244: denial of service in io.netty:netty-codec-http2.
  • CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

Full Changelog: netty/netty@netty-4.1.134.Final...netty-4.1.135.Final

... (truncated)

Commits
  • f05f765 [maven-release-plugin] prepare release netty-4.1.135.Final
  • 728c98b Redis: Limit the maximum number of nested arrays (#16882)
  • ced30ad Redis: Correctly release incomplete message on removal when using RedisArrayA...
  • cef5395 SCTP: Limit the number of inflight incomplete SCTP messages and the number of...
  • 652663c Epoll / Kqueue: Correctly handle receive of FD (#16872)
  • bd6214f HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs (#16881)
  • d7f9069 Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allo...
  • b831454 HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory (#16883)
  • 51260aa Pass maxAllocation to Brotli and Zstd decoders (#16844) (#16886)
  • db6138b HTTP2: DelegatingDecompressorFrameListener must release memory in all cases (...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [io.netty:netty-transport-native-epoll](https://github.com/netty/netty) from 4.1.132.Final to 4.1.135.Final.
- [Release notes](https://github.com/netty/netty/releases)
- [Commits](netty/netty@netty-4.1.132.Final...netty-4.1.135.Final)

---
updated-dependencies:
- dependency-name: io.netty:netty-transport-native-epoll
  dependency-version: 4.1.135.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels Jun 4, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 15, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #40.

@dependabot dependabot Bot closed this Jul 15, 2026
@dependabot
dependabot Bot deleted the dependabot/maven/io.netty-netty-transport-native-epoll-4.1.135.Final branch July 15, 2026 18:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants