SIP2-305: Release 3.3.4 Ramsons CSP with RMB 35.3.2 and Vertx 4.5.23 fixing vulns

[julianladisch]

https://folio-org.atlassian.net/browse/SIP2-305

Purpose

Fix security vulnerabilities for Ramsons CSP:

• CVE-2025-67735 - netty-codec-http - CRLF injection - https://folio-org.atlassian.net/browse/FOLIO-4430
• CVE-2025-24970 - netty-handler SSLEngine native crash - https://folio-org.atlassian.net/browse/FOLIO-4339

Approach

In the Ramsons branch b3.3 upgrade

• RMB from 35.3.0 to 35.3.2
• Vert.x from 4.5.10 to 4.5.23

These upgrades transitively upgrade

• Netty from 4.1.113.Final to 4.1.130.Final

The new Netty version fixes the vulnerabilities.

Release it as edge-sip2 3.3.4 Ramsons CSP.

Changes Checklist

• n/a API Changes: Document any API paths, methods, request or response bodies changed, added, or removed.
• n/a Database Schema Changes: Indicate any database schema changes and their impact. Confirm that migration scripts were created.
• n/a Interface Version Changes: Indicate any changes to interface versions.
• n/a Interface Dependencies: Document added or removed dependencies.
• n/a Permissions: Document any changes to permissions.
• Logging: Confirm that logging is appropriately handled.
• Unit Testing: Confirm that changed classes were covered by unit tests.
• Integration Testing: Confirm that changed logic was covered by integration tests.
• Manual Testing: Confirm that changes were tested on local or dev environment.
• NEWS: Confirm that the NEWS file is updated with relevant information about the changes made in this pull request.

Related Issues

SIP2-305

Screenshots (if applicable)

mvn dependency:tree -Dincludes=io.netty

[INFO] org.folio:edge-sip2:jar:3.3.4
[INFO] \- io.vertx:vertx-core:jar:4.5.23:compile
[INFO]    +- io.netty:netty-common:jar:4.1.130.Final:compile
[INFO]    +- io.netty:netty-buffer:jar:4.1.130.Final:compile
[INFO]    +- io.netty:netty-transport:jar:4.1.130.Final:compile
[INFO]    +- io.netty:netty-handler:jar:4.1.130.Final:compile
[INFO]    |  +- io.netty:netty-transport-native-unix-common:jar:4.1.130.Final:compile
[INFO]    |  \- io.netty:netty-codec:jar:4.1.130.Final:compile
[INFO]    +- io.netty:netty-handler-proxy:jar:4.1.130.Final:compile
[INFO]    |  \- io.netty:netty-codec-socks:jar:4.1.130.Final:compile
[INFO]    +- io.netty:netty-codec-http:jar:4.1.130.Final:compile
[INFO]    +- io.netty:netty-codec-http2:jar:4.1.130.Final:compile
[INFO]    +- io.netty:netty-resolver:jar:4.1.130.Final:compile
[INFO]    \- io.netty:netty-resolver-dns:jar:4.1.130.Final:compile
[INFO]       \- io.netty:netty-codec-dns:jar:4.1.130.Final:compile

[sonarqubecloud]

Quality Gate passed

Issues
35 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud