Upgrade Netty version vulnerable to CVE-2025-24970

[dvgica]

The current Netty version 4.1.110.Final is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2025-24970. Version 4.1.118.Final has a patch.

It looks like other libs would probably need to be upgraded in sync so I may be missing some complications here, but creating the issue to get it out there.

[jxv120]

Hey folks, some of our components who use Apache Beam are reporting this vulnerability, even after upgrading on those to the latest version of Netty available.
Let us know if this vulnerability is been address and under which version of beam it has been fixed🙏

[raboof]

it looks like v2.65.0 has 4.1.118.Final (https://github.com/apache/beam/blob/v2.65.0/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy#L630), could you confirm?

[dvgica]

Confirmed, thanks for the update!

[joachim-isaksson]

2.67.0 seems to have reverted to the vulnerable 4.1.110.Final again.

https://github.com/apache/beam/blob/v2.67.0/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy#L634