Bump the netty group across 1 directory with 10 updates by dependabot[bot] · Pull Request #6997 · aws/aws-sdk-java-v2

dependabot · 2026-05-28T16:26:12Z

Bumps the netty group with 10 updates in the / directory:

Package	From	To
io.netty:netty-handler	`4.1.133.Final`	`4.1.135.Final`
io.netty:netty-transport	`4.1.133.Final`	`4.1.135.Final`
io.netty:netty-codec-http	`4.1.133.Final`	`4.1.135.Final`
io.netty:netty-codec-http2	`4.1.133.Final`	`4.1.135.Final`
io.netty:netty-codec	`4.1.133.Final`	`4.1.135.Final`
io.netty:netty-common	`4.1.133.Final`	`4.1.135.Final`
io.netty:netty-buffer	`4.1.133.Final`	`4.1.135.Final`
io.netty:netty-resolver	`4.1.133.Final`	`4.1.135.Final`
io.netty:netty-resolver-dns	`4.1.133.Final`	`4.1.135.Final`
io.netty:netty-transport-classes-epoll	`4.1.133.Final`	`4.1.135.Final`

Updates io.netty:netty-handler from 4.1.133.Final to 4.1.135.Final

Release notes

Sourced from io.netty:netty-handler's releases.

netty-4.1.135.Final

Security fixes

CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).

CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).

CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2.

CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).

CVE-2026-XXXXX: request smuggling in io.netty:netty-codec-http.

CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).

CVE-2026-XXXXX: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).

CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.

CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).

CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.

CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).

CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).

CVE-2026-47244: denial of service in io.netty:netty-codec-http2.

CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

Auto-port 4.1: MQTT: Allow MQTT 5 CONNECT with password only by @netty-project-bot in netty/netty#16834

ChannelInitializer: correct misleading comment on exceptionCaught route by @daguimu in netty/netty#16847

HTTP/2: Parse request-target path like Vert.x (4.1 backport) by @yawkat in netty/netty#16856

HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted by @normanmaurer in netty/netty#16861

IpSubnetFilter: Correctly handle ipv6 by @normanmaurer in netty/netty#16860

Configurable bound on RedisArrayAggregator by @normanmaurer in netty/netty#16858

Redis: Limit decoded length by @normanmaurer in netty/netty#16859

DNS: Ensure query id is not predictible by @normanmaurer in netty/netty#16870

Wrapping plain trust manager silently disables hostname verification by @normanmaurer in netty/netty#16868

MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @daguimu in netty/netty#16852

Fix revapi warnings (#16885) by @chrisvest in netty/netty#16892

HAProxy: Reject HAProxyMessages with malformated TLV and not leak memory by @normanmaurer in netty/netty#16866

SSL: Use sane defaults as limits for the client hello length and timeout by @normanmaurer in netty/netty#16871

DNS: Only cache CNAME if part of the queried domain by @normanmaurer in netty/netty#16873

HTTP/2: Enforce max concurrent streams for misbehaving clients by @normanmaurer in netty/netty#16876

Dns: Insufficient Bailiwick Validation for NS Records by @normanmaurer in netty/netty#16877

HTTP2: DelegatingDecompressorFrameListener must release memory in all cases by @normanmaurer in netty/netty#16880

Pass maxAllocation to Brotli and Zstd decoders (#16844) by @chrisvest in netty/netty#16886

HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory by @normanmaurer in netty/netty#16883

Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @netty-project-bot in netty/netty#16894

HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs by @normanmaurer in netty/netty#16881

Epoll / Kqueue: Correctly handle receive of FD by @normanmaurer in netty/netty#16872

SCTP: Limit the number of inflight incomplete SCTP messages and the number of fragments by @normanmaurer in netty/netty#16875

Redis: Correctly release incomplete message on removal when using RedisArrayAggregator by @normanmaurer in netty/netty#16878

Redis: Limit the maximum number of nested arrays by @normanmaurer in netty/netty#16882

Full Changelog: netty/netty@netty-4.1.134.Final...netty-4.1.135.Final

... (truncated)

Commits

f05f765 [maven-release-plugin] prepare release netty-4.1.135.Final
728c98b Redis: Limit the maximum number of nested arrays (#16882)
ced30ad Redis: Correctly release incomplete message on removal when using RedisArrayA...
cef5395 SCTP: Limit the number of inflight incomplete SCTP messages and the number of...
652663c Epoll / Kqueue: Correctly handle receive of FD (#16872)
bd6214f HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs (#16881)
d7f9069 Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allo...
b831454 HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory (#16883)
51260aa Pass maxAllocation to Brotli and Zstd decoders (#16844) (#16886)
db6138b HTTP2: DelegatingDecompressorFrameListener must release memory in all cases (...
Additional commits viewable in compare view

Updates io.netty:netty-transport from 4.1.133.Final to 4.1.135.Final

Release notes

Sourced from io.netty:netty-transport's releases.

netty-4.1.135.Final

Security fixes

CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).

CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).

CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2.

CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).

CVE-2026-XXXXX: request smuggling in io.netty:netty-codec-http.

CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).

CVE-2026-XXXXX: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).

CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.

CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).

CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.

CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).

CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).

CVE-2026-47244: denial of service in io.netty:netty-codec-http2.

CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

Auto-port 4.1: MQTT: Allow MQTT 5 CONNECT with password only by @netty-project-bot in netty/netty#16834

ChannelInitializer: correct misleading comment on exceptionCaught route by @daguimu in netty/netty#16847

HTTP/2: Parse request-target path like Vert.x (4.1 backport) by @yawkat in netty/netty#16856

HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted by @normanmaurer in netty/netty#16861

IpSubnetFilter: Correctly handle ipv6 by @normanmaurer in netty/netty#16860

Configurable bound on RedisArrayAggregator by @normanmaurer in netty/netty#16858

Redis: Limit decoded length by @normanmaurer in netty/netty#16859

DNS: Ensure query id is not predictible by @normanmaurer in netty/netty#16870

Wrapping plain trust manager silently disables hostname verification by @normanmaurer in netty/netty#16868

MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @daguimu in netty/netty#16852

Fix revapi warnings (#16885) by @chrisvest in netty/netty#16892

HAProxy: Reject HAProxyMessages with malformated TLV and not leak memory by @normanmaurer in netty/netty#16866

SSL: Use sane defaults as limits for the client hello length and timeout by @normanmaurer in netty/netty#16871

DNS: Only cache CNAME if part of the queried domain by @normanmaurer in netty/netty#16873

HTTP/2: Enforce max concurrent streams for misbehaving clients by @normanmaurer in netty/netty#16876

Dns: Insufficient Bailiwick Validation for NS Records by @normanmaurer in netty/netty#16877

HTTP2: DelegatingDecompressorFrameListener must release memory in all cases by @normanmaurer in netty/netty#16880

Pass maxAllocation to Brotli and Zstd decoders (#16844) by @chrisvest in netty/netty#16886

HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory by @normanmaurer in netty/netty#16883

Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @netty-project-bot in netty/netty#16894

HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs by @normanmaurer in netty/netty#16881

Epoll / Kqueue: Correctly handle receive of FD by @normanmaurer in netty/netty#16872

SCTP: Limit the number of inflight incomplete SCTP messages and the number of fragments by @normanmaurer in netty/netty#16875

Redis: Correctly release incomplete message on removal when using RedisArrayAggregator by @normanmaurer in netty/netty#16878

Redis: Limit the maximum number of nested arrays by @normanmaurer in netty/netty#16882

Full Changelog: netty/netty@netty-4.1.134.Final...netty-4.1.135.Final

... (truncated)

Commits

f05f765 [maven-release-plugin] prepare release netty-4.1.135.Final
728c98b Redis: Limit the maximum number of nested arrays (#16882)
ced30ad Redis: Correctly release incomplete message on removal when using RedisArrayA...
cef5395 SCTP: Limit the number of inflight incomplete SCTP messages and the number of...
652663c Epoll / Kqueue: Correctly handle receive of FD (#16872)
bd6214f HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs (#16881)
d7f9069 Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allo...
b831454 HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory (#16883)
51260aa Pass maxAllocation to Brotli and Zstd decoders (#16844) (#16886)
db6138b HTTP2: DelegatingDecompressorFrameListener must release memory in all cases (...
Additional commits viewable in compare view

Updates io.netty:netty-codec-http from 4.1.133.Final to 4.1.135.Final

Release notes

Sourced from io.netty:netty-codec-http's releases.

netty-4.1.135.Final

Security fixes

CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).

CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).

CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2.

CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).

CVE-2026-XXXXX: request smuggling in io.netty:netty-codec-http.

CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).

CVE-2026-XXXXX: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).

CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.

CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).

CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.

CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).

CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).

CVE-2026-47244: denial of service in io.netty:netty-codec-http2.

CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

Auto-port 4.1: MQTT: Allow MQTT 5 CONNECT with password only by @netty-project-bot in netty/netty#16834

ChannelInitializer: correct misleading comment on exceptionCaught route by @daguimu in netty/netty#16847

HTTP/2: Parse request-target path like Vert.x (4.1 backport) by @yawkat in netty/netty#16856

HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted by @normanmaurer in netty/netty#16861

IpSubnetFilter: Correctly handle ipv6 by @normanmaurer in netty/netty#16860

Configurable bound on RedisArrayAggregator by @normanmaurer in netty/netty#16858

Redis: Limit decoded length by @normanmaurer in netty/netty#16859

DNS: Ensure query id is not predictible by @normanmaurer in netty/netty#16870

Wrapping plain trust manager silently disables hostname verification by @normanmaurer in netty/netty#16868

MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @daguimu in netty/netty#16852

Fix revapi warnings (#16885) by @chrisvest in netty/netty#16892

HAProxy: Reject HAProxyMessages with malformated TLV and not leak memory by @normanmaurer in netty/netty#16866

SSL: Use sane defaults as limits for the client hello length and timeout by @normanmaurer in netty/netty#16871

DNS: Only cache CNAME if part of the queried domain by @normanmaurer in netty/netty#16873

HTTP/2: Enforce max concurrent streams for misbehaving clients by @normanmaurer in netty/netty#16876

Dns: Insufficient Bailiwick Validation for NS Records by @normanmaurer in netty/netty#16877

HTTP2: DelegatingDecompressorFrameListener must release memory in all cases by @normanmaurer in netty/netty#16880

Pass maxAllocation to Brotli and Zstd decoders (#16844) by @chrisvest in netty/netty#16886

HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory by @normanmaurer in netty/netty#16883

Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @netty-project-bot in netty/netty#16894

HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs by @normanmaurer in netty/netty#16881

Epoll / Kqueue: Correctly handle receive of FD by @normanmaurer in netty/netty#16872

SCTP: Limit the number of inflight incomplete SCTP messages and the number of fragments by @normanmaurer in netty/netty#16875

Redis: Correctly release incomplete message on removal when using RedisArrayAggregator by @normanmaurer in netty/netty#16878

Redis: Limit the maximum number of nested arrays by @normanmaurer in netty/netty#16882

Full Changelog: netty/netty@netty-4.1.134.Final...netty-4.1.135.Final

... (truncated)

Commits

f05f765 [maven-release-plugin] prepare release netty-4.1.135.Final
728c98b Redis: Limit the maximum number of nested arrays (#16882)
ced30ad Redis: Correctly release incomplete message on removal when using RedisArrayA...
cef5395 SCTP: Limit the number of inflight incomplete SCTP messages and the number of...
652663c Epoll / Kqueue: Correctly handle receive of FD (#16872)
bd6214f HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs (#16881)
d7f9069 Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allo...
b831454 HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory (#16883)
51260aa Pass maxAllocation to Brotli and Zstd decoders (#16844) (#16886)
db6138b HTTP2: DelegatingDecompressorFrameListener must release memory in all cases (...
Additional commits viewable in compare view

Updates io.netty:netty-codec-http2 from 4.1.133.Final to 4.1.135.Final

Release notes

Sourced from io.netty:netty-codec-http2's releases.

netty-4.1.135.Final

Security fixes

CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).

CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).

CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2.

CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).

CVE-2026-XXXXX: request smuggling in io.netty:netty-codec-http.

CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).

CVE-2026-XXXXX: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).

CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.

CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).

CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.

CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).

CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).

CVE-2026-47244: denial of service in io.netty:netty-codec-http2.

CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

Auto-port 4.1: MQTT: Allow MQTT 5 CONNECT with password only by @netty-project-bot in netty/netty#16834

ChannelInitializer: correct misleading comment on exceptionCaught route by @daguimu in netty/netty#16847

HTTP/2: Parse request-target path like Vert.x (4.1 backport) by @yawkat in netty/netty#16856

HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted by @normanmaurer in netty/netty#16861

IpSubnetFilter: Correctly handle ipv6 by @normanmaurer in netty/netty#16860

Configurable bound on RedisArrayAggregator by @normanmaurer in netty/netty#16858

Redis: Limit decoded length by @normanmaurer in netty/netty#16859

DNS: Ensure query id is not predictible by @normanmaurer in netty/netty#16870

Wrapping plain trust manager silently disables hostname verification by @normanmaurer in netty/netty#16868

MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @daguimu in netty/netty#16852

Fix revapi warnings (#16885) by @chrisvest in netty/netty#16892

HAProxy: Reject HAProxyMessages with malformated TLV and not leak memory by @normanmaurer in netty/netty#16866

SSL: Use sane defaults as limits for the client hello length and timeout by @normanmaurer in netty/netty#16871

DNS: Only cache CNAME if part of the queried domain by @normanmaurer in netty/netty#16873

HTTP/2: Enforce max concurrent streams for misbehaving clients by @normanmaurer in netty/netty#16876

Dns: Insufficient Bailiwick Validation for NS Records by @normanmaurer in netty/netty#16877

HTTP2: DelegatingDecompressorFrameListener must release memory in all cases by @normanmaurer in netty/netty#16880

Pass maxAllocation to Brotli and Zstd decoders (#16844) by @chrisvest in netty/netty#16886

HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory by @normanmaurer in netty/netty#16883

Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @netty-project-bot in netty/netty#16894

HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs by @normanmaurer in netty/netty#16881

Epoll / Kqueue: Correctly handle receive of FD by @normanmaurer in netty/netty#16872

SCTP: Limit the number of inflight incomplete SCTP messages and the number of fragments by @normanmaurer in netty/netty#16875

Redis: Correctly release incomplete message on removal when using RedisArrayAggregator by @normanmaurer in netty/netty#16878

Redis: Limit the maximum number of nested arrays by @normanmaurer in netty/netty#16882

Full Changelog: netty/netty@netty-4.1.134.Final...netty-4.1.135.Final

... (truncated)

Commits

f05f765 [maven-release-plugin] prepare release netty-4.1.135.Final
728c98b Redis: Limit the maximum number of nested arrays (#16882)
ced30ad Redis: Correctly release incomplete message on removal when using RedisArrayA...
cef5395 SCTP: Limit the number of inflight incomplete SCTP messages and the number of...
652663c Epoll / Kqueue: Correctly handle receive of FD (#16872)
bd6214f HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs (#16881)
d7f9069 Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allo...
b831454 HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory (#16883)
51260aa Pass maxAllocation to Brotli and Zstd decoders (#16844) (#16886)
db6138b HTTP2: DelegatingDecompressorFrameListener must release memory in all cases (...
Additional commits viewable in compare view

Updates io.netty:netty-codec from 4.1.133.Final to 4.1.135.Final

Release notes

Sourced from io.netty:netty-codec's releases.

netty-4.1.135.Final

Security fixes

CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).

CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).

CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2.

CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).

CVE-2026-XXXXX: request smuggling in io.netty:netty-codec-http.

CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).

CVE-2026-XXXXX: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).

CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.

CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).

CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.

CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).

CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).

CVE-2026-47244: denial of service in io.netty:netty-codec-http2.

CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

Auto-port 4.1: MQTT: Allow MQTT 5 CONNECT with password only by @netty-project-bot in netty/netty#16834

ChannelInitializer: correct misleading comment on exceptionCaught route by @daguimu in netty/netty#16847

HTTP/2: Parse request-target path like Vert.x (4.1 backport) by @yawkat in netty/netty#16856

HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted by @normanmaurer in netty/netty#16861

IpSubnetFilter: Correctly handle ipv6 by @normanmaurer in netty/netty#16860

Configurable bound on RedisArrayAggregator by @normanmaurer in netty/netty#16858

Redis: Limit decoded length by @normanmaurer in netty/netty#16859

DNS: Ensure query id is not predictible by @normanmaurer in netty/netty#16870

Wrapping plain trust manager silently disables hostname verification by @normanmaurer in netty/netty#16868

MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @daguimu in netty/netty#16852

Fix revapi warnings (#16885) by @chrisvest in netty/netty#16892

HAProxy: Reject HAProxyMessages with malformated TLV and not leak memory by @normanmaurer in netty/netty#16866

SSL: Use sane defaults as limits for the client hello length and timeout by @normanmaurer in netty/netty#16871

DNS: Only cache CNAME if part of the queried domain by @normanmaurer in netty/netty#16873

HTTP/2: Enforce max concurrent streams for misbehaving clients by @normanmaurer in netty/netty#16876

Dns: Insufficient Bailiwick Validation for NS Records by @normanmaurer in netty/netty#16877

HTTP2: DelegatingDecompressorFrameListener must release memory in all cases by @normanmaurer in netty/netty#16880

Pass maxAllocation to Brotli and Zstd decoders (#16844) by @chrisvest in netty/netty#16886

HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory by @normanmaurer in netty/netty#16883

Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @netty-project-bot in netty/netty#16894

HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs by @normanmaurer in netty/netty#16881

Epoll / Kqueue: Correctly handle receive of FD by @normanmaurer in netty/netty#16872

SCTP: Limit the number of inflight incomplete SCTP messages and the number of fragments by @normanmaurer in netty/netty#16875

Redis: Correctly release incomplete message on removal when using RedisArrayAggregator by @normanmaurer in netty/netty#16878

Redis: Limit the maximum number of nested arrays by @normanmaurer in netty/netty#16882

Full Changelog: netty/netty@netty-4.1.134.Final...netty-4.1.135.Final

... (truncated)

Commits

f05f765 [maven-release-plugin] prepare release netty-4.1.135.Final
728c98b Redis: Limit the maximum number of nested arrays (#16882)
ced30ad Redis: Correctly release incomplete message on removal when using RedisArrayA...
cef5395 SCTP: Limit the number of inflight incomplete SCTP messages and the number of...
652663c Epoll / Kqueue: Correctly handle receive of FD (#16872)
bd6214f HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs (#16881)
d7f9069 Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allo...
b831454 HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory (#16883)
51260aa Pass maxAllocation to Brotli and Zstd decoders (#16844) (#16886)
db6138b HTTP2: DelegatingDecompressorFrameListener must release memory in all cases (...
Additional commits viewable in compare view

Updates io.netty:netty-common from 4.1.133.Final to 4.1.135.Final

Release notes

Sourced from io.netty:netty-common's releases.

netty-4.1.135.Final

Security fixes

CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).

CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).

CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2.

CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).

CVE-2026-XXXXX: request smuggling in io.netty:netty-codec-http.

CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).

CVE-2026-XXXXX: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).

CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.

Bumps the netty group with 10 updates in the / directory: | Package | From | To | | --- | --- | --- | | [io.netty:netty-handler](https://github.com/netty/netty) | `4.1.133.Final` | `4.1.135.Final` | | [io.netty:netty-transport](https://github.com/netty/netty) | `4.1.133.Final` | `4.1.135.Final` | | [io.netty:netty-codec-http](https://github.com/netty/netty) | `4.1.133.Final` | `4.1.135.Final` | | [io.netty:netty-codec-http2](https://github.com/netty/netty) | `4.1.133.Final` | `4.1.135.Final` | | [io.netty:netty-codec](https://github.com/netty/netty) | `4.1.133.Final` | `4.1.135.Final` | | [io.netty:netty-common](https://github.com/netty/netty) | `4.1.133.Final` | `4.1.135.Final` | | [io.netty:netty-buffer](https://github.com/netty/netty) | `4.1.133.Final` | `4.1.135.Final` | | [io.netty:netty-resolver](https://github.com/netty/netty) | `4.1.133.Final` | `4.1.135.Final` | | [io.netty:netty-resolver-dns](https://github.com/netty/netty) | `4.1.133.Final` | `4.1.135.Final` | | [io.netty:netty-transport-classes-epoll](https://github.com/netty/netty) | `4.1.133.Final` | `4.1.135.Final` | Updates `io.netty:netty-handler` from 4.1.133.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.133.Final...netty-4.1.135.Final) Updates `io.netty:netty-transport` from 4.1.133.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.133.Final...netty-4.1.135.Final) Updates `io.netty:netty-codec-http` from 4.1.133.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.133.Final...netty-4.1.135.Final) Updates `io.netty:netty-codec-http2` from 4.1.133.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.133.Final...netty-4.1.135.Final) Updates `io.netty:netty-codec` from 4.1.133.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.133.Final...netty-4.1.135.Final) Updates `io.netty:netty-common` from 4.1.133.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.133.Final...netty-4.1.135.Final) Updates `io.netty:netty-buffer` from 4.1.133.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.133.Final...netty-4.1.135.Final) Updates `io.netty:netty-resolver` from 4.1.133.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.133.Final...netty-4.1.135.Final) Updates `io.netty:netty-resolver-dns` from 4.1.133.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.133.Final...netty-4.1.135.Final) Updates `io.netty:netty-transport-classes-epoll` from 4.1.133.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.133.Final...netty-4.1.135.Final) Updates `io.netty:netty-transport` from 4.1.133.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.133.Final...netty-4.1.135.Final) Updates `io.netty:netty-codec-http` from 4.1.133.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.133.Final...netty-4.1.135.Final) Updates `io.netty:netty-codec-http2` from 4.1.133.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.133.Final...netty-4.1.135.Final) Updates `io.netty:netty-codec` from 4.1.133.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.133.Final...netty-4.1.135.Final) Updates `io.netty:netty-common` from 4.1.133.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.133.Final...netty-4.1.135.Final) Updates `io.netty:netty-buffer` from 4.1.133.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.133.Final...netty-4.1.135.Final) Updates `io.netty:netty-resolver` from 4.1.133.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.133.Final...netty-4.1.135.Final) Updates `io.netty:netty-resolver-dns` from 4.1.133.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.133.Final...netty-4.1.135.Final) Updates `io.netty:netty-transport-classes-epoll` from 4.1.133.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.133.Final...netty-4.1.135.Final) --- updated-dependencies: - dependency-name: io.netty:netty-buffer dependency-version: 4.1.134.Final dependency-type: direct:development update-type: version-update:semver-patch dependency-group: netty - dependency-name: io.netty:netty-buffer dependency-version: 4.1.134.Final dependency-type: direct:development update-type: version-update:semver-patch dependency-group: netty - dependency-name: io.netty:netty-codec dependency-version: 4.1.134.Final dependency-type: direct:production update-type: version-update:semver-patch dependency-group: netty - dependency-name: io.netty:netty-codec dependency-version: 4.1.134.Final dependency-type: direct:production update-type: version-update:semver-patch dependency-group: netty - dependency-name: io.netty:netty-codec-http dependency-version: 4.1.134.Final dependency-type: direct:production update-type: version-update:semver-patch dependency-group: netty - dependency-name: io.netty:netty-codec-http dependency-version: 4.1.134.Final dependency-type: direct:production update-type: version-update:semver-patch dependency-group: netty - dependency-name: io.netty:netty-codec-http2 dependency-version: 4.1.134.Final dependency-type: direct:production update-type: version-update:semver-patch dependency-group: netty - dependency-name: io.netty:netty-codec-http2 dependency-version: 4.1.134.Final dependency-type: direct:production update-type: version-update:semver-patch dependency-group: netty - dependency-name: io.netty:netty-common dependency-version: 4.1.134.Final dependency-type: direct:production update-type: version-update:semver-patch dependency-group: netty - dependency-name: io.netty:netty-common dependency-version: 4.1.134.Final dependency-type: direct:production update-type: version-update:semver-patch dependency-group: netty - dependency-name: io.netty:netty-handler dependency-version: 4.1.134.Final dependency-type: direct:production update-type: version-update:semver-patch dependency-group: netty - dependency-name: io.netty:netty-resolver dependency-version: 4.1.134.Final dependency-type: direct:production update-type: version-update:semver-patch dependency-group: netty - dependency-name: io.netty:netty-resolver dependency-version: 4.1.134.Final dependency-type: direct:production update-type: version-update:semver-patch dependency-group: netty - dependency-name: io.netty:netty-resolver-dns dependency-version: 4.1.134.Final dependency-type: direct:production update-type: version-update:semver-patch dependency-group: netty - dependency-name: io.netty:netty-resolver-dns dependency-version: 4.1.134.Final dependency-type: direct:production update-type: version-update:semver-patch dependency-group: netty - dependency-name: io.netty:netty-transport dependency-version: 4.1.134.Final dependency-type: direct:production update-type: version-update:semver-patch dependency-group: netty - dependency-name: io.netty:netty-transport dependency-version: 4.1.134.Final dependency-type: direct:production update-type: version-update:semver-patch dependency-group: netty - dependency-name: io.netty:netty-transport-classes-epoll dependency-version: 4.1.134.Final dependency-type: direct:production update-type: version-update:semver-patch dependency-group: netty - dependency-name: io.netty:netty-transport-classes-epoll dependency-version: 4.1.134.Final dependency-type: direct:production update-type: version-update:semver-patch dependency-group: netty ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies This issue is a problem in a dependency. java Pull requests that update java code labels May 28, 2026

dependabot Bot requested a review from a team as a code owner May 28, 2026 16:26

dependabot Bot added dependencies This issue is a problem in a dependency. java Pull requests that update java code labels May 28, 2026

dependabot Bot changed the title ~~Bump the netty group with 10 updates~~ Bump the netty group across 1 directory with 10 updates May 28, 2026

dependabot Bot force-pushed the dependabot/maven/netty-b6a4c4272b branch 12 times, most recently from 647fae6 to df1bb88 Compare June 3, 2026 04:30

dependabot Bot force-pushed the dependabot/maven/netty-b6a4c4272b branch from df1bb88 to 62b305b Compare June 3, 2026 06:45

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the netty group across 1 directory with 10 updates#6997

Bump the netty group across 1 directory with 10 updates#6997
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/maven/netty-b6a4c4272b

dependabot Bot commented on behalf of github May 28, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 28, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

netty-4.1.135.Final

Security fixes

What's Changed

netty-4.1.135.Final

Security fixes

What's Changed

netty-4.1.135.Final

Security fixes

What's Changed

netty-4.1.135.Final

Security fixes

What's Changed

netty-4.1.135.Final

Security fixes

What's Changed

netty-4.1.135.Final

Security fixes

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github May 28, 2026 •

edited

Loading