Skip to content

Bump io.netty:netty-all from 4.1.97.Final to 4.2.15.Final#23

Open
dependabot[bot] wants to merge 3 commits into
mainfrom
dependabot/gradle/io.netty-netty-all-4.2.14.Final
Open

Bump io.netty:netty-all from 4.1.97.Final to 4.2.15.Final#23
dependabot[bot] wants to merge 3 commits into
mainfrom
dependabot/gradle/io.netty-netty-all-4.2.14.Final

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 23, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps io.netty:netty-all from 4.1.97.Final to 4.2.15.Final.

Release notes

Sourced from io.netty:netty-all's releases.

netty-4.2.15.Final

Security fixes

  • CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
  • CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
  • CVE-2026-50560: DDoS in io.netty:netty-codec-http2.
  • CVE-2026-50011: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-50009: information disclosure and denial of service in io.netty:netty-codec-classes-quic.
  • CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
  • CVE-2026-50020: request smuggling in io.netty:netty-codec-http.
  • CVE-2026-44892: memory exhaustion in io.netty:netty-codec-http3 (high).
  • CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
  • CVE-2026-44894: traffic amplification in io.netty:netty-codec-classes-quic (high).
  • CVE-2026-50010: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
  • CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
  • CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
  • CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
  • CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
  • CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
  • CVE-2026-47244: denial of service in io.netty:netty-codec-http2.
  • CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-48748: memory exhaustion in io.netty:netty-codec-http3 (high).
  • CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

New Contributors

Full Changelog: netty/netty@netty-4.2.14.Final...netty-4.2.15.Final

netty-4.2.14.Final

What's Changed

... (truncated)

Commits
  • a41f7b2 [maven-release-plugin] prepare release netty-4.2.15.Final
  • 2394530 Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remain...
  • 0bd1657 Add maxWindowLog parameter to ZstdDecoder to bound memory allocation (#16850)
  • 76291f5 Fix SCTP and Redis tests (#16893)
  • e067b6e Fix revapi warnings (#16885)
  • 5a52600 Pass maxAllocation to Brotli and Zstd decoders (#16844)
  • 541add0 Merge commit from fork
  • 270800e Merge commit from fork
  • 3d45a1e Merge commit from fork
  • 75127ca Merge commit from fork
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels May 23, 2026
@dependabot dependabot Bot force-pushed the dependabot/gradle/io.netty-netty-all-4.2.14.Final branch from cabc3d0 to 29c2139 Compare May 23, 2026 18:15
@dependabot dependabot Bot changed the title Bump io.netty:netty-all from 4.1.97.Final to 4.2.14.Final Bump io.netty:netty-all from 4.1.97.Final to 4.2.15.Final Jun 14, 2026
@dependabot dependabot Bot force-pushed the dependabot/gradle/io.netty-netty-all-4.2.14.Final branch from 29c2139 to 74688ee Compare June 14, 2026 03:14
@dependabot
Bump io.netty:netty-all from 4.1.97.Final to 4.2.15.Final
c69418b 
Bumps [io.netty:netty-all](https://github.com/netty/netty) from 4.1.97.Final to 4.2.15.Final.
- [Release notes](https://github.com/netty/netty/releases)
- [Commits](netty/netty@netty-4.1.97.Final...netty-4.2.15.Final)

---
updated-dependencies:
- dependency-name: io.netty:netty-all
  dependency-version: 4.2.14.Final
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/gradle/io.netty-netty-all-4.2.14.Final branch from 74688ee to c69418b Compare June 17, 2026 20:43
@dependabot @github

dependabot Bot commented on behalf of github Jun 21, 2026

Copy link
Copy Markdown
Contributor Author

A newer version of io.netty:netty-all exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@UplandJacob