ARTEMIS-X Bump netty.version from 4.1.134.Final to 4.1.135.Final by dependabot[bot] · Pull Request #6492 · apache/artemis

dependabot · 2026-06-03T20:54:17Z

Bumps netty.version from 4.1.134.Final to 4.1.135.Final.
Updates io.netty:netty-buffer from 4.1.134.Final to 4.1.135.Final

Release notes

Sourced from io.netty:netty-buffer's releases.

netty-4.1.135.Final

Security fixes

CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).

CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).

CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2.

CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).

CVE-2026-XXXXX: request smuggling in io.netty:netty-codec-http.

CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).

CVE-2026-XXXXX: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).

CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.

CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).

CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.

CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).

CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).

CVE-2026-47244: denial of service in io.netty:netty-codec-http2.

CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

Auto-port 4.1: MQTT: Allow MQTT 5 CONNECT with password only by @netty-project-bot in netty/netty#16834

ChannelInitializer: correct misleading comment on exceptionCaught route by @daguimu in netty/netty#16847

HTTP/2: Parse request-target path like Vert.x (4.1 backport) by @yawkat in netty/netty#16856

HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted by @normanmaurer in netty/netty#16861

IpSubnetFilter: Correctly handle ipv6 by @normanmaurer in netty/netty#16860

Configurable bound on RedisArrayAggregator by @normanmaurer in netty/netty#16858

Redis: Limit decoded length by @normanmaurer in netty/netty#16859

DNS: Ensure query id is not predictible by @normanmaurer in netty/netty#16870

Wrapping plain trust manager silently disables hostname verification by @normanmaurer in netty/netty#16868

MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @daguimu in netty/netty#16852

Fix revapi warnings (#16885) by @chrisvest in netty/netty#16892

HAProxy: Reject HAProxyMessages with malformated TLV and not leak memory by @normanmaurer in netty/netty#16866

SSL: Use sane defaults as limits for the client hello length and timeout by @normanmaurer in netty/netty#16871

DNS: Only cache CNAME if part of the queried domain by @normanmaurer in netty/netty#16873

HTTP/2: Enforce max concurrent streams for misbehaving clients by @normanmaurer in netty/netty#16876

Dns: Insufficient Bailiwick Validation for NS Records by @normanmaurer in netty/netty#16877

HTTP2: DelegatingDecompressorFrameListener must release memory in all cases by @normanmaurer in netty/netty#16880

Pass maxAllocation to Brotli and Zstd decoders (#16844) by @chrisvest in netty/netty#16886

HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory by @normanmaurer in netty/netty#16883

Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @netty-project-bot in netty/netty#16894

HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs by @normanmaurer in netty/netty#16881

Epoll / Kqueue: Correctly handle receive of FD by @normanmaurer in netty/netty#16872

SCTP: Limit the number of inflight incomplete SCTP messages and the number of fragments by @normanmaurer in netty/netty#16875

Redis: Correctly release incomplete message on removal when using RedisArrayAggregator by @normanmaurer in netty/netty#16878

Redis: Limit the maximum number of nested arrays by @normanmaurer in netty/netty#16882

Full Changelog: netty/netty@netty-4.1.134.Final...netty-4.1.135.Final

Commits

f05f765 [maven-release-plugin] prepare release netty-4.1.135.Final
728c98b Redis: Limit the maximum number of nested arrays (#16882)
ced30ad Redis: Correctly release incomplete message on removal when using RedisArrayA...
cef5395 SCTP: Limit the number of inflight incomplete SCTP messages and the number of...
652663c Epoll / Kqueue: Correctly handle receive of FD (#16872)
bd6214f HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs (#16881)
d7f9069 Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allo...
b831454 HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory (#16883)
51260aa Pass maxAllocation to Brotli and Zstd decoders (#16844) (#16886)
db6138b HTTP2: DelegatingDecompressorFrameListener must release memory in all cases (...
Additional commits viewable in compare view

Updates io.netty:netty-transport from 4.1.134.Final to 4.1.135.Final

Release notes

Sourced from io.netty:netty-transport's releases.

netty-4.1.135.Final

Security fixes

CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).

CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).

CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2.

CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).

CVE-2026-XXXXX: request smuggling in io.netty:netty-codec-http.

CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).

CVE-2026-XXXXX: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).

CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.

CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).

CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.

CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).

CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).

CVE-2026-47244: denial of service in io.netty:netty-codec-http2.

CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

Auto-port 4.1: MQTT: Allow MQTT 5 CONNECT with password only by @netty-project-bot in netty/netty#16834

ChannelInitializer: correct misleading comment on exceptionCaught route by @daguimu in netty/netty#16847

HTTP/2: Parse request-target path like Vert.x (4.1 backport) by @yawkat in netty/netty#16856

HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted by @normanmaurer in netty/netty#16861

IpSubnetFilter: Correctly handle ipv6 by @normanmaurer in netty/netty#16860

Configurable bound on RedisArrayAggregator by @normanmaurer in netty/netty#16858

Redis: Limit decoded length by @normanmaurer in netty/netty#16859

DNS: Ensure query id is not predictible by @normanmaurer in netty/netty#16870

Wrapping plain trust manager silently disables hostname verification by @normanmaurer in netty/netty#16868

MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @daguimu in netty/netty#16852

Fix revapi warnings (#16885) by @chrisvest in netty/netty#16892

HAProxy: Reject HAProxyMessages with malformated TLV and not leak memory by @normanmaurer in netty/netty#16866

SSL: Use sane defaults as limits for the client hello length and timeout by @normanmaurer in netty/netty#16871

DNS: Only cache CNAME if part of the queried domain by @normanmaurer in netty/netty#16873

HTTP/2: Enforce max concurrent streams for misbehaving clients by @normanmaurer in netty/netty#16876

Dns: Insufficient Bailiwick Validation for NS Records by @normanmaurer in netty/netty#16877

HTTP2: DelegatingDecompressorFrameListener must release memory in all cases by @normanmaurer in netty/netty#16880

Pass maxAllocation to Brotli and Zstd decoders (#16844) by @chrisvest in netty/netty#16886

HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory by @normanmaurer in netty/netty#16883

Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @netty-project-bot in netty/netty#16894

HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs by @normanmaurer in netty/netty#16881

Epoll / Kqueue: Correctly handle receive of FD by @normanmaurer in netty/netty#16872

SCTP: Limit the number of inflight incomplete SCTP messages and the number of fragments by @normanmaurer in netty/netty#16875

Redis: Correctly release incomplete message on removal when using RedisArrayAggregator by @normanmaurer in netty/netty#16878

Redis: Limit the maximum number of nested arrays by @normanmaurer in netty/netty#16882

Full Changelog: netty/netty@netty-4.1.134.Final...netty-4.1.135.Final

Commits

f05f765 [maven-release-plugin] prepare release netty-4.1.135.Final
728c98b Redis: Limit the maximum number of nested arrays (#16882)
ced30ad Redis: Correctly release incomplete message on removal when using RedisArrayA...
cef5395 SCTP: Limit the number of inflight incomplete SCTP messages and the number of...
652663c Epoll / Kqueue: Correctly handle receive of FD (#16872)
bd6214f HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs (#16881)
d7f9069 Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allo...
b831454 HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory (#16883)
51260aa Pass maxAllocation to Brotli and Zstd decoders (#16844) (#16886)
db6138b HTTP2: DelegatingDecompressorFrameListener must release memory in all cases (...
Additional commits viewable in compare view

Updates io.netty:netty-handler from 4.1.134.Final to 4.1.135.Final

Release notes

Sourced from io.netty:netty-handler's releases.

netty-4.1.135.Final

Security fixes

CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).

CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).

CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2.

CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).

CVE-2026-XXXXX: request smuggling in io.netty:netty-codec-http.

CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).

CVE-2026-XXXXX: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).

CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.

CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).

CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.

CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).

CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).

CVE-2026-47244: denial of service in io.netty:netty-codec-http2.

CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

Auto-port 4.1: MQTT: Allow MQTT 5 CONNECT with password only by @netty-project-bot in netty/netty#16834

ChannelInitializer: correct misleading comment on exceptionCaught route by @daguimu in netty/netty#16847

HTTP/2: Parse request-target path like Vert.x (4.1 backport) by @yawkat in netty/netty#16856

HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted by @normanmaurer in netty/netty#16861

IpSubnetFilter: Correctly handle ipv6 by @normanmaurer in netty/netty#16860

Configurable bound on RedisArrayAggregator by @normanmaurer in netty/netty#16858

Redis: Limit decoded length by @normanmaurer in netty/netty#16859

DNS: Ensure query id is not predictible by @normanmaurer in netty/netty#16870

Wrapping plain trust manager silently disables hostname verification by @normanmaurer in netty/netty#16868

MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @daguimu in netty/netty#16852

Fix revapi warnings (#16885) by @chrisvest in netty/netty#16892

HAProxy: Reject HAProxyMessages with malformated TLV and not leak memory by @normanmaurer in netty/netty#16866

SSL: Use sane defaults as limits for the client hello length and timeout by @normanmaurer in netty/netty#16871

DNS: Only cache CNAME if part of the queried domain by @normanmaurer in netty/netty#16873

HTTP/2: Enforce max concurrent streams for misbehaving clients by @normanmaurer in netty/netty#16876

Dns: Insufficient Bailiwick Validation for NS Records by @normanmaurer in netty/netty#16877

HTTP2: DelegatingDecompressorFrameListener must release memory in all cases by @normanmaurer in netty/netty#16880

Pass maxAllocation to Brotli and Zstd decoders (#16844) by @chrisvest in netty/netty#16886

HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory by @normanmaurer in netty/netty#16883

Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @netty-project-bot in netty/netty#16894

HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs by @normanmaurer in netty/netty#16881

Epoll / Kqueue: Correctly handle receive of FD by @normanmaurer in netty/netty#16872

SCTP: Limit the number of inflight incomplete SCTP messages and the number of fragments by @normanmaurer in netty/netty#16875

Redis: Correctly release incomplete message on removal when using RedisArrayAggregator by @normanmaurer in netty/netty#16878

Redis: Limit the maximum number of nested arrays by @normanmaurer in netty/netty#16882

Full Changelog: netty/netty@netty-4.1.134.Final...netty-4.1.135.Final

Commits

f05f765 [maven-release-plugin] prepare release netty-4.1.135.Final
728c98b Redis: Limit the maximum number of nested arrays (#16882)
ced30ad Redis: Correctly release incomplete message on removal when using RedisArrayA...
cef5395 SCTP: Limit the number of inflight incomplete SCTP messages and the number of...
652663c Epoll / Kqueue: Correctly handle receive of FD (#16872)
bd6214f HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs (#16881)
d7f9069 Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allo...
b831454 HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory (#16883)
51260aa Pass maxAllocation to Brotli and Zstd decoders (#16844) (#16886)
db6138b HTTP2: DelegatingDecompressorFrameListener must release memory in all cases (...
Additional commits viewable in compare view

Updates io.netty:netty-handler-proxy from 4.1.134.Final to 4.1.135.Final

Release notes

Sourced from io.netty:netty-handler-proxy's releases.

netty-4.1.135.Final

Security fixes

CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).

CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).

CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2.

CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).

CVE-2026-XXXXX: request smuggling in io.netty:netty-codec-http.

CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).

CVE-2026-XXXXX: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).

CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.

CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).

CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.

CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).

CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).

CVE-2026-47244: denial of service in io.netty:netty-codec-http2.

CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

Auto-port 4.1: MQTT: Allow MQTT 5 CONNECT with password only by @netty-project-bot in netty/netty#16834

ChannelInitializer: correct misleading comment on exceptionCaught route by @daguimu in netty/netty#16847

HTTP/2: Parse request-target path like Vert.x (4.1 backport) by @yawkat in netty/netty#16856

HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted by @normanmaurer in netty/netty#16861

IpSubnetFilter: Correctly handle ipv6 by @normanmaurer in netty/netty#16860

Configurable bound on RedisArrayAggregator by @normanmaurer in netty/netty#16858

Redis: Limit decoded length by @normanmaurer in netty/netty#16859

DNS: Ensure query id is not predictible by @normanmaurer in netty/netty#16870

Wrapping plain trust manager silently disables hostname verification by @normanmaurer in netty/netty#16868

MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @daguimu in netty/netty#16852

Fix revapi warnings (#16885) by @chrisvest in netty/netty#16892

HAProxy: Reject HAProxyMessages with malformated TLV and not leak memory by @normanmaurer in netty/netty#16866

SSL: Use sane defaults as limits for the client hello length and timeout by @normanmaurer in netty/netty#16871

DNS: Only cache CNAME if part of the queried domain by @normanmaurer in netty/netty#16873

HTTP/2: Enforce max concurrent streams for misbehaving clients by @normanmaurer in netty/netty#16876

Dns: Insufficient Bailiwick Validation for NS Records by @normanmaurer in netty/netty#16877

HTTP2: DelegatingDecompressorFrameListener must release memory in all cases by @normanmaurer in netty/netty#16880

Pass maxAllocation to Brotli and Zstd decoders (#16844) by @chrisvest in netty/netty#16886

HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory by @normanmaurer in netty/netty#16883

Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @netty-project-bot in netty/netty#16894

HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs by @normanmaurer in netty/netty#16881

Epoll / Kqueue: Correctly handle receive of FD by @normanmaurer in netty/netty#16872

SCTP: Limit the number of inflight incomplete SCTP messages and the number of fragments by @normanmaurer in netty/netty#16875

Redis: Correctly release incomplete message on removal when using RedisArrayAggregator by @normanmaurer in netty/netty#16878

Redis: Limit the maximum number of nested arrays by @normanmaurer in netty/netty#16882

Full Changelog: netty/netty@netty-4.1.134.Final...netty-4.1.135.Final

Commits

f05f765 [maven-release-plugin] prepare release netty-4.1.135.Final
728c98b Redis: Limit the maximum number of nested arrays (#16882)
ced30ad Redis: Correctly release incomplete message on removal when using RedisArrayA...
cef5395 SCTP: Limit the number of inflight incomplete SCTP messages and the number of...
652663c Epoll / Kqueue: Correctly handle receive of FD (#16872)
bd6214f HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs (#16881)
d7f9069 Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allo...
b831454 HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory (#16883)
51260aa Pass maxAllocation to Brotli and Zstd decoders (#16844) (#16886)
db6138b HTTP2: DelegatingDecompressorFrameListener must release memory in all cases (...
Additional commits viewable in compare view

Updates io.netty:netty-codec from 4.1.134.Final to 4.1.135.Final

Release notes

Sourced from io.netty:netty-codec's releases.

netty-4.1.135.Final

Security fixes

CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).

CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).

CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2.

CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).

CVE-2026-XXXXX: request smuggling in io.netty:netty-codec-http.

CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).

CVE-2026-XXXXX: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).

CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.

CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).

CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.

CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).

CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).

CVE-2026-47244: denial of service in io.netty:netty-codec-http2.

CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

Auto-port 4.1: MQTT: Allow MQTT 5 CONNECT with password only by @netty-project-bot in netty/netty#16834

ChannelInitializer: correct misleading comment on exceptionCaught route by @daguimu in netty/netty#16847

HTTP/2: Parse request-target path like Vert.x (4.1 backport) by @yawkat in netty/netty#16856

HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted by @normanmaurer in netty/netty#16861

IpSubnetFilter: Correctly handle ipv6 by @normanmaurer in netty/netty#16860

Configurable bound on RedisArrayAggregator by @normanmaurer in netty/netty#16858

Redis: Limit decoded length by @normanmaurer in netty/netty#16859

DNS: Ensure query id is not predictible by @normanmaurer in netty/netty#16870

Wrapping plain trust manager silently disables hostname verification by @normanmaurer in netty/netty#16868

MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @daguimu in netty/netty#16852

Fix revapi warnings (#16885) by @chrisvest in netty/netty#16892

HAProxy: Reject HAProxyMessages with malformated TLV and not leak memory by @normanmaurer in netty/netty#16866

SSL: Use sane defaults as limits for the client hello length and timeout by @normanmaurer in netty/netty#16871

DNS: Only cache CNAME if part of the queried domain by @normanmaurer in netty/netty#16873

HTTP/2: Enforce max concurrent streams for misbehaving clients by @normanmaurer in netty/netty#16876

Dns: Insufficient Bailiwick Validation for NS Records by @normanmaurer in netty/netty#16877

HTTP2: DelegatingDecompressorFrameListener must release memory in all cases by @normanmaurer in netty/netty#16880

Pass maxAllocation to Brotli and Zstd decoders (#16844) by @chrisvest in netty/netty#16886

HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory by @normanmaurer in netty/netty#16883

Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @netty-project-bot in netty/netty#16894

HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs by @normanmaurer in netty/netty#16881

Epoll / Kqueue: Correctly handle receive of FD by @normanmaurer in netty/netty#16872

SCTP: Limit the number of inflight incomplete SCTP messages and the number of fragments by @normanmaurer in netty/netty#16875

Redis: Correctly release incomplete message on removal when using RedisArrayAggregator by @normanmaurer in netty/netty#16878

Redis: Limit the maximum number of nested arrays by @normanmaurer in netty/netty#16882

Full Changelog: netty/netty@netty-4.1.134.Final...netty-4.1.135.Final

Commits

f05f765 [maven-release-plugin] prepare release netty-4.1.135.Final
728c98b Redis: Limit the maximum number of nested arrays (#16882)
ced30ad Redis: Correctly release incomplete message on removal when using RedisArrayA...
cef5395 SCTP: Limit the number of inflight incomplete SCTP messages and the number of...
652663c Epoll / Kqueue: Correctly handle receive of FD (#16872)
bd6214f HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs (#16881)
d7f9069 Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allo...
b831454 HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory (#16883)
51260aa Pass maxAllocation to Brotli and Zstd decoders (#16844) (#16886)
db6138b HTTP2: DelegatingDecompressorFrameListener must release memory in all cases (...
Additional commits viewable in compare view

Updates io.netty:netty-codec-http from 4.1.134.Final to 4.1.135.Final

Release notes

Sourced from io.netty:netty-codec-http's releases.

netty-4.1.135.Final

Security fixes

CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).

CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).

CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2.

CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).

CVE-2026-XXXXX: request smuggling in io.netty:netty-codec-http.

CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).

CVE-2026-XXXXX: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).

CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.

CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).

CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.

CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).

CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).

CVE-2026-47244: denial of service in io.netty:netty-codec-http2.

CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).

CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

...
Description has been truncated

Bumps `netty.version` from 4.1.134.Final to 4.1.135.Final. Updates `io.netty:netty-buffer` from 4.1.134.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.134.Final...netty-4.1.135.Final) Updates `io.netty:netty-transport` from 4.1.134.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.134.Final...netty-4.1.135.Final) Updates `io.netty:netty-handler` from 4.1.134.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.134.Final...netty-4.1.135.Final) Updates `io.netty:netty-handler-proxy` from 4.1.134.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.134.Final...netty-4.1.135.Final) Updates `io.netty:netty-codec` from 4.1.134.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.134.Final...netty-4.1.135.Final) Updates `io.netty:netty-codec-http` from 4.1.134.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.134.Final...netty-4.1.135.Final) Updates `io.netty:netty-codec-mqtt` from 4.1.134.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.134.Final...netty-4.1.135.Final) Updates `io.netty:netty-codec-haproxy` from 4.1.134.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.134.Final...netty-4.1.135.Final) Updates `io.netty:netty-codec-socks` from 4.1.134.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.134.Final...netty-4.1.135.Final) Updates `io.netty:netty-common` from 4.1.134.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.134.Final...netty-4.1.135.Final) Updates `io.netty:netty-resolver` from 4.1.134.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.134.Final...netty-4.1.135.Final) Updates `io.netty:netty-transport-native-unix-common` from 4.1.134.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.134.Final...netty-4.1.135.Final) Updates `io.netty:netty-transport-classes-epoll` from 4.1.134.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.134.Final...netty-4.1.135.Final) Updates `io.netty:netty-transport-native-epoll` from 4.1.134.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.134.Final...netty-4.1.135.Final) Updates `io.netty:netty-transport-classes-kqueue` from 4.1.134.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.134.Final...netty-4.1.135.Final) Updates `io.netty:netty-transport-native-kqueue` from 4.1.134.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.134.Final...netty-4.1.135.Final) Updates `io.netty:netty-codec-http2` from 4.1.134.Final to 4.1.135.Final - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.1.134.Final...netty-4.1.135.Final) --- updated-dependencies: - dependency-name: io.netty:netty-buffer dependency-version: 4.1.135.Final dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: io.netty:netty-transport dependency-version: 4.1.135.Final dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: io.netty:netty-handler dependency-version: 4.1.135.Final dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: io.netty:netty-handler-proxy dependency-version: 4.1.135.Final dependency-type: direct:development update-type: version-update:semver-patch - dependency-name: io.netty:netty-codec dependency-version: 4.1.135.Final dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: io.netty:netty-codec-http dependency-version: 4.1.135.Final dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: io.netty:netty-codec-mqtt dependency-version: 4.1.135.Final dependency-type: direct:development update-type: version-update:semver-patch - dependency-name: io.netty:netty-codec-haproxy dependency-version: 4.1.135.Final dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: io.netty:netty-codec-socks dependency-version: 4.1.135.Final dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: io.netty:netty-common dependency-version: 4.1.135.Final dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: io.netty:netty-resolver dependency-version: 4.1.135.Final dependency-type: direct:development update-type: version-update:semver-patch - dependency-name: io.netty:netty-transport-native-unix-common dependency-version: 4.1.135.Final dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: io.netty:netty-transport-classes-epoll dependency-version: 4.1.135.Final dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: io.netty:netty-transport-native-epoll dependency-version: 4.1.135.Final dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: io.netty:netty-transport-classes-kqueue dependency-version: 4.1.135.Final dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: io.netty:netty-transport-native-kqueue dependency-version: 4.1.135.Final dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: io.netty:netty-codec-http2 dependency-version: 4.1.135.Final dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 3, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ARTEMIS-X Bump netty.version from 4.1.134.Final to 4.1.135.Final#6492

ARTEMIS-X Bump netty.version from 4.1.134.Final to 4.1.135.Final#6492
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/netty.version-4.1.135.Final

dependabot Bot commented on behalf of github Jun 3, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Jun 3, 2026

netty-4.1.135.Final

Security fixes

What's Changed

netty-4.1.135.Final

Security fixes

What's Changed

netty-4.1.135.Final

Security fixes

What's Changed

netty-4.1.135.Final

Security fixes

What's Changed

netty-4.1.135.Final

Security fixes

What's Changed

netty-4.1.135.Final

Security fixes

What's Changed

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants