Update Netty to 4.1.130 (CVE-2025-67735) (#1271)

vastin · web-flow · commit 5037d5938b2e · 2025-12-31T09:37:31.000-08:00
*Issue #, if available:*

*Description of changes:*


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,6 +13,10 @@ If your change does not need a CHANGELOG entry, add the "skip changelog" label t
 
 ## Unreleased
 
+- Bump Netty version to 4.1.130 Final
+  ([#1271](https://github.com/aws-observability/aws-otel-java-instrumentation/pull/1271))
+
+
 ### Enhancements
 
 - Add Application Signals Dimensions to EMF exporter
diff --git a/dependencyManagement/build.gradle.kts b/dependencyManagement/build.gradle.kts
@@ -40,10 +40,10 @@ val dependencyBoms = listOf(
   "com.google.protobuf:protobuf-bom:3.25.1",
   "com.linecorp.armeria:armeria-bom:1.26.4",
   "io.grpc:grpc-bom:1.59.1",
-  // netty-bom is a fix for CVE-2025-58056 (https://github.com/advisories/GHSA-fghv-69vj-qj49).
-  // Remove once https://github.com/aws/aws-sdk-java-v2/pull/6398 and https://github.com/aws/aws-sdk-java/pull/3192
-  // are both merged and released, and we update the corresponding dependencies.
-  "io.netty:netty-bom:4.1.126.Final",
+  // netty-bom is a fix for CVE-2025-67735 (https://github.com/advisories/GHSA-84h7-rjj3-6jx4).
+  // Remove once https://github.com/aws/aws-sdk-java-v2/pull/6635 is released and
+  // AWS SDK for Java (v1) is upgraded to 1.12.796 at least.
+  "io.netty:netty-bom:4.1.130.Final",
   "io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha:$otelAlphaVersion",
   "org.apache.logging.log4j:log4j-bom:2.21.1",
   "org.junit:junit-bom:5.10.1",
