From 61ab4f238d76f3e5668c8e7cddc4be7fe389a309 Mon Sep 17 00:00:00 2001
From: Mikita Hradovich <mikita.hradovich@scylladb.com>
Date: Mon, 15 Jun 2026 14:56:15 +0200
Subject: [PATCH] fix: bump netty to 4.1.135.Final to remediate CVE-2026-44249
 and CVE-2026-45416

netty-handler prior to 4.1.135.Final is affected by two HIGH severity
vulnerabilities:

- CVE-2026-44249 (CVSS 8.1): IpSubnetFilterRule.compareTo() performs an
  incorrect masking operation, allowing attackers to bypass IPv6 subnet
  ACL rules with valid public IP addresses.

- CVE-2026-45416 (CVSS 7.5): SslClientHelloHandler.decode() eagerly
  allocates up to 16 MiB of unpooled memory when maxClientHelloLength=0
  (the SniHandler default). A crafted TLS ClientHello can trigger memory
  exhaustion (DoS).

One-line change in the root pom.xml. All consumers of java-driver-core
will inherit the fix transitively once a new driver release is published.

Tracked in: scylladb/kafka-connect-scylladb#184
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 79f7be9e35d..51ef91eeb6a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -58,7 +58,7 @@
     <!-- when changing version also update version in LICENSE_binary  -->
     <hdrhistogram.version>2.2.2</hdrhistogram.version>
     <metrics.version>4.2.38</metrics.version>
-    <netty.version>4.1.133.Final</netty.version>
+    <netty.version>4.1.135.Final</netty.version>
     <esri.version>1.2.1</esri.version>
     <!--
     When upgrading TinkerPop please upgrade the version matrix in