From 7ddb4248b8bcaa9269288f021928c7dedfb68ce1 Mon Sep 17 00:00:00 2001
From: Steve Liu <liustve@amazon.com>
Date: Thu, 14 Aug 2025 11:59:29 -0700
Subject: [PATCH 1/3] add netty bom for patching cve

---
 dependencyManagement/build.gradle.kts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dependencyManagement/build.gradle.kts b/dependencyManagement/build.gradle.kts
index 7bb24e3543..051105207a 100644
--- a/dependencyManagement/build.gradle.kts
+++ b/dependencyManagement/build.gradle.kts
@@ -40,6 +40,7 @@ val dependencyBoms = listOf(
   "com.google.protobuf:protobuf-bom:3.25.1",
   "com.linecorp.armeria:armeria-bom:1.26.4",
   "io.grpc:grpc-bom:1.59.1",
+  "io.netty:netty-bom:4.1.124.Final", // Fix for CVE-2025-55163
   "io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha:$otelAlphaVersion",
   "org.apache.logging.log4j:log4j-bom:2.21.1",
   "org.junit:junit-bom:5.10.1",

From e5bc1369dbb6594590d2d7167a585b333df1f8b6 Mon Sep 17 00:00:00 2001
From: Steve Liu <liustve@amazon.com>
Date: Thu, 14 Aug 2025 14:02:11 -0700
Subject: [PATCH 2/3] Update dependencyManagement/build.gradle.kts

Co-authored-by: Thomas Pierce <thp@amazon.com>
---
 dependencyManagement/build.gradle.kts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dependencyManagement/build.gradle.kts b/dependencyManagement/build.gradle.kts
index 051105207a..25d299c990 100644
--- a/dependencyManagement/build.gradle.kts
+++ b/dependencyManagement/build.gradle.kts
@@ -40,7 +40,7 @@ val dependencyBoms = listOf(
   "com.google.protobuf:protobuf-bom:3.25.1",
   "com.linecorp.armeria:armeria-bom:1.26.4",
   "io.grpc:grpc-bom:1.59.1",
-  "io.netty:netty-bom:4.1.124.Final", // Fix for CVE-2025-55163
+  "io.netty:netty-bom:4.1.124.Final", // Fix for CVE-2025-55163, remove once https://github.com/aws/aws-sdk-java-v2/pull/6344 is released.
   "io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha:$otelAlphaVersion",
   "org.apache.logging.log4j:log4j-bom:2.21.1",
   "org.junit:junit-bom:5.10.1",

From cb9bfbd496c9c40c43919a77bed3e8c976b20092 Mon Sep 17 00:00:00 2001
From: Steve Liu <liustve@amazon.com>
Date: Thu, 14 Aug 2025 14:43:45 -0700
Subject: [PATCH 3/3] lint fix

---
 dependencyManagement/build.gradle.kts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/dependencyManagement/build.gradle.kts b/dependencyManagement/build.gradle.kts
index 25d299c990..11a6441070 100644
--- a/dependencyManagement/build.gradle.kts
+++ b/dependencyManagement/build.gradle.kts
@@ -40,7 +40,9 @@ val dependencyBoms = listOf(
   "com.google.protobuf:protobuf-bom:3.25.1",
   "com.linecorp.armeria:armeria-bom:1.26.4",
   "io.grpc:grpc-bom:1.59.1",
-  "io.netty:netty-bom:4.1.124.Final", // Fix for CVE-2025-55163, remove once https://github.com/aws/aws-sdk-java-v2/pull/6344 is released.
+  // netty-bom is a fix for CVE-2025-55163 (https://github.com/advisories/GHSA-prj3-ccx8-p6x4).
+  // Remove once https://github.com/aws/aws-sdk-java-v2/pull/6344 is released.
+  "io.netty:netty-bom:4.1.124.Final",
   "io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha:$otelAlphaVersion",
   "org.apache.logging.log4j:log4j-bom:2.21.1",
   "org.junit:junit-bom:5.10.1",