[SPARK-57320][BUILD] Upgrade Netty to 4.2.15.Final

[dongjoon-hyun]

What changes were proposed in this pull request?

This PR aims to upgrade Netty to 4.2.15.Final.

Why are the changes needed?

To bring the latest bug fixes:

• https://netty.io/news/2026/06/01/4-2-15-Final.html

  • CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
  • CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
  • CVE-2026-50560: DDoS in io.netty:netty-codec-http2.
  • CVE-2026-50011: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-50009: information disclosure and denial of service in io.netty:netty-codec-classes-quic.
  • CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
  • CVE-2026-50020: request smuggling in io.netty:netty-codec-http.
  • CVE-2026-44892: memory exhaustion in io.netty:netty-codec-http3 (high).
  • CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
  • CVE-2026-44894: traffic amplification in io.netty:netty-codec-classes-quic (high).
  • CVE-2026-50010: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
  • CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
  • CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
  • CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
  • CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
  • CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
  • CVE-2026-47244: denial of service in io.netty:netty-codec-http2.
  • CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-48748: memory exhaustion in io.netty:netty-codec-http3 (high).
  • CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.
  • Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup netty/netty#16836
  • HTTP/2: Parse request-target path like Vert.x netty/netty#16810
  • Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route netty/netty#16853
  • FlowControlHandler: Suppress duplicate channelReadComplete after draining queue (#15053) netty/netty#16837
  • Pass maxAllocation to Brotli and Zstd decoders netty/netty#16844
  • Add maxWindowLog parameter to ZstdDecoder to bound memory allocation netty/netty#16850
  • Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length netty/netty#16890

• https://netty.io/news/2026/05/20/4-2-14-Final.html

  • HTTP: Re-add constructor to HttpProxyHandler that was removed by mistake netty/netty#16747
  • Avoid re-parsing openssl key material with non-cached provider netty/netty#16759
  • Adaptive: Fix concurrency issue in adaptive allocator netty/netty#16767
  • Auto-port 4.2: Make bulk byte moving in ByteBuf faster netty/netty#16781
  • Fix memoryAddress() for direct ByteBuffers wrapped by Unpooled without Unsafe netty/netty#16788

Does this PR introduce any user-facing change?

No.

How was this patch tested?

Pass the CIs.

Was this patch authored or co-authored using generative AI tooling?

Generated-by: Claude Opus 4.8

[dongjoon-hyun]

Thank you, @HyukjinKwon !

[dongjoon-hyun]

The failures of org.apache.spark.sql.pipelines.graph.AutoCdcScd1FullRefreshSuite are irrelevant because they exist in the master branch currently.

• https://github.com/apache/spark/actions/runs/27166004427/job/80196384953

Merged to master.