Skip to content

Fix SCTP and Redis tests#16893

Merged
chrisvest merged 2 commits into
4.2from
4.2-fix-sctp-test
Jun 2, 2026
Merged

Fix SCTP and Redis tests#16893
chrisvest merged 2 commits into
4.2from
4.2-fix-sctp-test

Conversation

@chrisvest

@chrisvest chrisvest commented Jun 2, 2026
edited
Loading

Copy link
Copy Markdown
Member

Motivation:
In SCTP, the test fails because the assertion doesn't match the current code. It's possible the code was updated in response to review comments, while the test wasn't updated to match.
In Redis, we had two PRs merged in incompatible ways where one broke the tests of the other.

Modification:

  • Correct the assertions to match that the handler now closes the channel in exceptionCaught.
  • Make sure that the RedisArrayAggregator releases its messages through both the nested array failure path, as well as on handler removed.

Result:
The transport-sctp and codec-redis module tests now passes.

@chrisvest
Fix SCTP test
eb3f787 
Motivation:
The test fails because the assertion doesn't match the current code.
It's possible the code was updated in response to review comments, while the test wasn't updated to match.

Modification:
Correct the assertions to match that the handler now closes the channel in exceptionCaught.

Result:
The transport-sctp module tests now passes.
@chrisvest chrisvest added this to the 4.2.15.Final milestone Jun 2, 2026
@chrisvest chrisvest requested a review from normanmaurer June 2, 2026 00:26
@chrisvest chrisvest added needs-cherry-pick-4.1 This PR should be cherry-picked to 4.1 once merged. needs-cherry-pick-5.0 This PR should be cherry-picked to 5.0 once merged. labels Jun 2, 2026
@chrisvest
Fix Redis test
645a86e 
Motivation:
The test fails because two PRs got merged in incompatible ways.

Modification:
Make sure that the RedisArrayAggregator releases its messages through both the nested array failure path, as well as on handler removed.

Result:
The codec-redis module tests now passes.
@chrisvest chrisvest changed the title Fix SCTP test Fix SCTP and Redis tests Jun 2, 2026
@chrisvest chrisvest merged commit 76291f5 into 4.2 Jun 2, 2026
17 of 19 checks passed
@chrisvest chrisvest deleted the 4.2-fix-sctp-test branch June 2, 2026 03:05
@netty-project-bot

netty-project-bot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Could not create auto-port PR.
Got conflicts when cherry-picking onto 4.1.

@netty-project-bot

netty-project-bot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Could not create auto-port PR.
Got conflicts when cherry-picking onto 5.0.

@chrisvest chrisvest removed the needs-cherry-pick-4.1 This PR should be cherry-picked to 4.1 once merged. label Jun 4, 2026
@chrisvest

chrisvest commented Jun 4, 2026

Copy link
Copy Markdown
Member Author

4.1 backport already done

@chrisvest chrisvest mentioned this pull request Jun 4, 2026
Merged
@chrisvest

chrisvest commented Jun 4, 2026

Copy link
Copy Markdown
Member Author

Port to 5.0: #16914

@chrisvest chrisvest removed the needs-cherry-pick-5.0 This PR should be cherry-picked to 5.0 once merged. label Jun 4, 2026
chrisvest added a commit that referenced this pull request Jun 5, 2026
@chrisvest @normanmaurer
@violetagg @schiemon
Forward port multiple security fixes to 5.0 (#16914)
9a85962 
- #16881
- #16876
- #16866
- #16870
- #16837
- #16858
- #16882
- #16893

---------

Co-authored-by: Norman Maurer <norman_maurer@apple.com>
Co-authored-by: Violeta Georgieva <696661+violetagg@users.noreply.github.com>
Co-authored-by: Szymon Habrainski <56340221+schiemon@users.noreply.github.com>
mergify Bot added a commit to ArcadeData/arcadedb that referenced this pull request Jun 7, 2026
@mergify
chore(deps): bump netty.version from 4.2.14.Final to 4.2.15.Final [sk…
169f59a 
…ip ci]

Bumps `netty.version` from 4.2.14.Final to 4.2.15.Final.
Updates `io.netty:netty-transport` from 4.2.14.Final to 4.2.15.Final
Release notes

*Sourced from [io.netty:netty-transport's releases](https://github.com/netty/netty/releases).*

> netty-4.2.15.Final
> ------------------
>
> Security fixes
> --------------
>
> * [CVE-2026-48059](GHSA-h2qv-fj59-j46j): memory exhaustion in `io.netty:netty-codec-haproxy` (high).
> * [CVE-2026-47691](GHSA-5pvg-856g-cp85): DNS cache poisoning in `io.netty:netty-resolver-dns` (high).
> * [CVE-2026-XXXXX](GHSA-563q-j3cm-6jxm): DDoS in `io.netty:netty-codec-http2`.
> * [CVE-2026-50011](GHSA-5w86-c3rq-vjj7): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-44250](GHSA-3244-j874-rhc2): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-44890](GHSA-6ghj-frrj-jjj3): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-50009](GHSA-cq4q-cv5g-r8q5): information disclosure and denial of service in `io.netty:netty-codec-classes-quic`.
> * [CVE-2026-44249](GHSA-3qp7-7mw8-wx86): IPv6 subnet filter bypass in `io.netty:netty-handler` (high).
> * [CVE-2026-50020](GHSA-hvcg-qmg6-jm4c): request smuggling in `io.netty:netty-codec-http`.
> * [CVE-2026-44892](GHSA-c2rx-5r8w-8xr2): memory exhaustion in `io.netty:netty-codec-http3` (high).
> * [CVE-2026-44893](GHSA-cc37-9q2j-3hfv): memory leak in `io.netty:netty-codec-haproxy` (high).
> * [CVE-2026-44894](GHSA-cmm3-54f8-px4j): traffic amplification in `io.netty:netty-codec-classes-quic` (high).
> * [CVE-2026-50010](GHSA-c653-97m9-rcg9): TLS hostname verification accidentally disabled in `io.netty:netty-handler` (high).
> * [CVE-2026-45673](GHSA-xmv7-r254-6q78): DNS cache poisoning in `io.netty:netty-resolver-dns`.
> * [CVE-2026-45416](GHSA-x4gw-5cx5-pgmh): excessive memory usage from SNIHandler in `io.netty:netty-handler` (high).
> * [CVE-2026-45536](GHSA-w573-9ffj-6ff9): file descriptor leak in `io.netty:netty-transport-native-epoll` and `io.netty:netty-transport-native-kqueue`.
> * [CVE-2026-45674](GHSA-676x-f7gg-47vc): DNS cache poisoning in `io.netty:netty-resolver-dns` (high).
> * [CVE-2026-46340](GHSA-5xrh-qmmq-w6ch): memory exhaustion in `io.netty:netty-transport-sctp` (high).
> * [CVE-2026-47244](GHSA-5x3r-wrvg-rp6q): denial of service in `io.netty:netty-codec-http2`.
> * [CVE-2026-48006](GHSA-6jv9-x5w9-2ccm): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-48748](GHSA-4grm-h2qv-h6w6): memory exhaustion in `io.netty:netty-codec-http3` (high).
> * [CVE-2026-48043](GHSA-c2gf-v879-257j): memory exhaustion in `io.netty:netty-codec-http2`.
>
> What's Changed
> --------------
>
> * Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by [`@​dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16836](https://redirect.github.com/netty/netty/pull/16836)
> * HTTP/2: Parse request-target path like Vert.x by [`@​yawkat`](https://github.com/yawkat) in [netty/netty#16810](https://redirect.github.com/netty/netty/pull/16810)
> * Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by [`@​netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16853](https://redirect.github.com/netty/netty/pull/16853)
> * FlowControlHandler: Suppress duplicate channelReadComplete after draining queue ([#15053](https://redirect.github.com/netty/netty/issues/15053)) by [`@​schiemon`](https://github.com/schiemon) in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837)
> * Pass maxAllocation to Brotli and Zstd decoders by [`@​fedinskiy`](https://github.com/fedinskiy) in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844)
> * Fix revapi warnings by [`@​chrisvest`](https://github.com/chrisvest) in [netty/netty#16885](https://redirect.github.com/netty/netty/pull/16885)
> * Fix SCTP and Redis tests by [`@​chrisvest`](https://github.com/chrisvest) in [netty/netty#16893](https://redirect.github.com/netty/netty/pull/16893)
> * Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by [`@​skyguard1`](https://github.com/skyguard1) in [netty/netty#16850](https://redirect.github.com/netty/netty/pull/16850)
> * Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by [`@​netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16890](https://redirect.github.com/netty/netty/pull/16890)
>
> New Contributors
> ----------------
>
> * [`@​schiemon`](https://github.com/schiemon) made their first contribution in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837)
> * [`@​fedinskiy`](https://github.com/fedinskiy) made their first contribution in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844)
>
> **Full Changelog**: <netty/netty@netty-4.2.14.Final...netty-4.2.15.Final>


Commits

* [`a41f7b2`](netty/netty@a41f7b2) [maven-release-plugin] prepare release netty-4.2.15.Final
* [`2394530`](netty/netty@2394530) Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remain...
* [`0bd1657`](netty/netty@0bd1657) Add maxWindowLog parameter to ZstdDecoder to bound memory allocation ([#16850](https://redirect.github.com/netty/netty/issues/16850))
* [`76291f5`](netty/netty@76291f5) Fix SCTP and Redis tests ([#16893](https://redirect.github.com/netty/netty/issues/16893))
* [`e067b6e`](netty/netty@e067b6e) Fix revapi warnings ([#16885](https://redirect.github.com/netty/netty/issues/16885))
* [`5a52600`](netty/netty@5a52600) Pass maxAllocation to Brotli and Zstd decoders ([#16844](https://redirect.github.com/netty/netty/issues/16844))
* [`541add0`](netty/netty@541add0) Merge commit from fork
* [`270800e`](netty/netty@270800e) Merge commit from fork
* [`3d45a1e`](netty/netty@3d45a1e) Merge commit from fork
* [`75127ca`](netty/netty@75127ca) Merge commit from fork
* Additional commits viewable in [compare view](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)
  
Updates `io.netty:netty-codec` from 4.2.14.Final to 4.2.15.Final
Release notes

*Sourced from [io.netty:netty-codec's releases](https://github.com/netty/netty/releases).*

> netty-4.2.15.Final
> ------------------
>
> Security fixes
> --------------
>
> * [CVE-2026-48059](GHSA-h2qv-fj59-j46j): memory exhaustion in `io.netty:netty-codec-haproxy` (high).
> * [CVE-2026-47691](GHSA-5pvg-856g-cp85): DNS cache poisoning in `io.netty:netty-resolver-dns` (high).
> * [CVE-2026-XXXXX](GHSA-563q-j3cm-6jxm): DDoS in `io.netty:netty-codec-http2`.
> * [CVE-2026-50011](GHSA-5w86-c3rq-vjj7): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-44250](GHSA-3244-j874-rhc2): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-44890](GHSA-6ghj-frrj-jjj3): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-50009](GHSA-cq4q-cv5g-r8q5): information disclosure and denial of service in `io.netty:netty-codec-classes-quic`.
> * [CVE-2026-44249](GHSA-3qp7-7mw8-wx86): IPv6 subnet filter bypass in `io.netty:netty-handler` (high).
> * [CVE-2026-50020](GHSA-hvcg-qmg6-jm4c): request smuggling in `io.netty:netty-codec-http`.
> * [CVE-2026-44892](GHSA-c2rx-5r8w-8xr2): memory exhaustion in `io.netty:netty-codec-http3` (high).
> * [CVE-2026-44893](GHSA-cc37-9q2j-3hfv): memory leak in `io.netty:netty-codec-haproxy` (high).
> * [CVE-2026-44894](GHSA-cmm3-54f8-px4j): traffic amplification in `io.netty:netty-codec-classes-quic` (high).
> * [CVE-2026-50010](GHSA-c653-97m9-rcg9): TLS hostname verification accidentally disabled in `io.netty:netty-handler` (high).
> * [CVE-2026-45673](GHSA-xmv7-r254-6q78): DNS cache poisoning in `io.netty:netty-resolver-dns`.
> * [CVE-2026-45416](GHSA-x4gw-5cx5-pgmh): excessive memory usage from SNIHandler in `io.netty:netty-handler` (high).
> * [CVE-2026-45536](GHSA-w573-9ffj-6ff9): file descriptor leak in `io.netty:netty-transport-native-epoll` and `io.netty:netty-transport-native-kqueue`.
> * [CVE-2026-45674](GHSA-676x-f7gg-47vc): DNS cache poisoning in `io.netty:netty-resolver-dns` (high).
> * [CVE-2026-46340](GHSA-5xrh-qmmq-w6ch): memory exhaustion in `io.netty:netty-transport-sctp` (high).
> * [CVE-2026-47244](GHSA-5x3r-wrvg-rp6q): denial of service in `io.netty:netty-codec-http2`.
> * [CVE-2026-48006](GHSA-6jv9-x5w9-2ccm): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-48748](GHSA-4grm-h2qv-h6w6): memory exhaustion in `io.netty:netty-codec-http3` (high).
> * [CVE-2026-48043](GHSA-c2gf-v879-257j): memory exhaustion in `io.netty:netty-codec-http2`.
>
> What's Changed
> --------------
>
> * Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by [`@​dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16836](https://redirect.github.com/netty/netty/pull/16836)
> * HTTP/2: Parse request-target path like Vert.x by [`@​yawkat`](https://github.com/yawkat) in [netty/netty#16810](https://redirect.github.com/netty/netty/pull/16810)
> * Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by [`@​netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16853](https://redirect.github.com/netty/netty/pull/16853)
> * FlowControlHandler: Suppress duplicate channelReadComplete after draining queue ([#15053](https://redirect.github.com/netty/netty/issues/15053)) by [`@​schiemon`](https://github.com/schiemon) in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837)
> * Pass maxAllocation to Brotli and Zstd decoders by [`@​fedinskiy`](https://github.com/fedinskiy) in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844)
> * Fix revapi warnings by [`@​chrisvest`](https://github.com/chrisvest) in [netty/netty#16885](https://redirect.github.com/netty/netty/pull/16885)
> * Fix SCTP and Redis tests by [`@​chrisvest`](https://github.com/chrisvest) in [netty/netty#16893](https://redirect.github.com/netty/netty/pull/16893)
> * Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by [`@​skyguard1`](https://github.com/skyguard1) in [netty/netty#16850](https://redirect.github.com/netty/netty/pull/16850)
> * Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by [`@​netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16890](https://redirect.github.com/netty/netty/pull/16890)
>
> New Contributors
> ----------------
>
> * [`@​schiemon`](https://github.com/schiemon) made their first contribution in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837)
> * [`@​fedinskiy`](https://github.com/fedinskiy) made their first contribution in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844)
>
> **Full Changelog**: <netty/netty@netty-4.2.14.Final...netty-4.2.15.Final>


Commits

* [`a41f7b2`](netty/netty@a41f7b2) [maven-release-plugin] prepare release netty-4.2.15.Final
* [`2394530`](netty/netty@2394530) Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remain...
* [`0bd1657`](netty/netty@0bd1657) Add maxWindowLog parameter to ZstdDecoder to bound memory allocation ([#16850](https://redirect.github.com/netty/netty/issues/16850))
* [`76291f5`](netty/netty@76291f5) Fix SCTP and Redis tests ([#16893](https://redirect.github.com/netty/netty/issues/16893))
* [`e067b6e`](netty/netty@e067b6e) Fix revapi warnings ([#16885](https://redirect.github.com/netty/netty/issues/16885))
* [`5a52600`](netty/netty@5a52600) Pass maxAllocation to Brotli and Zstd decoders ([#16844](https://redirect.github.com/netty/netty/issues/16844))
* [`541add0`](netty/netty@541add0) Merge commit from fork
* [`270800e`](netty/netty@270800e) Merge commit from fork
* [`3d45a1e`](netty/netty@3d45a1e) Merge commit from fork
* [`75127ca`](netty/netty@75127ca) Merge commit from fork
* Additional commits viewable in [compare view](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)
  
Updates `io.netty:netty-handler` from 4.2.14.Final to 4.2.15.Final
Release notes

*Sourced from [io.netty:netty-handler's releases](https://github.com/netty/netty/releases).*

> netty-4.2.15.Final
> ------------------
>
> Security fixes
> --------------
>
> * [CVE-2026-48059](GHSA-h2qv-fj59-j46j): memory exhaustion in `io.netty:netty-codec-haproxy` (high).
> * [CVE-2026-47691](GHSA-5pvg-856g-cp85): DNS cache poisoning in `io.netty:netty-resolver-dns` (high).
> * [CVE-2026-XXXXX](GHSA-563q-j3cm-6jxm): DDoS in `io.netty:netty-codec-http2`.
> * [CVE-2026-50011](GHSA-5w86-c3rq-vjj7): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-44250](GHSA-3244-j874-rhc2): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-44890](GHSA-6ghj-frrj-jjj3): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-50009](GHSA-cq4q-cv5g-r8q5): information disclosure and denial of service in `io.netty:netty-codec-classes-quic`.
> * [CVE-2026-44249](GHSA-3qp7-7mw8-wx86): IPv6 subnet filter bypass in `io.netty:netty-handler` (high).
> * [CVE-2026-50020](GHSA-hvcg-qmg6-jm4c): request smuggling in `io.netty:netty-codec-http`.
> * [CVE-2026-44892](GHSA-c2rx-5r8w-8xr2): memory exhaustion in `io.netty:netty-codec-http3` (high).
> * [CVE-2026-44893](GHSA-cc37-9q2j-3hfv): memory leak in `io.netty:netty-codec-haproxy` (high).
> * [CVE-2026-44894](GHSA-cmm3-54f8-px4j): traffic amplification in `io.netty:netty-codec-classes-quic` (high).
> * [CVE-2026-50010](GHSA-c653-97m9-rcg9): TLS hostname verification accidentally disabled in `io.netty:netty-handler` (high).
> * [CVE-2026-45673](GHSA-xmv7-r254-6q78): DNS cache poisoning in `io.netty:netty-resolver-dns`.
> * [CVE-2026-45416](GHSA-x4gw-5cx5-pgmh): excessive memory usage from SNIHandler in `io.netty:netty-handler` (high).
> * [CVE-2026-45536](GHSA-w573-9ffj-6ff9): file descriptor leak in `io.netty:netty-transport-native-epoll` and `io.netty:netty-transport-native-kqueue`.
> * [CVE-2026-45674](GHSA-676x-f7gg-47vc): DNS cache poisoning in `io.netty:netty-resolver-dns` (high).
> * [CVE-2026-46340](GHSA-5xrh-qmmq-w6ch): memory exhaustion in `io.netty:netty-transport-sctp` (high).
> * [CVE-2026-47244](GHSA-5x3r-wrvg-rp6q): denial of service in `io.netty:netty-codec-http2`.
> * [CVE-2026-48006](GHSA-6jv9-x5w9-2ccm): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-48748](GHSA-4grm-h2qv-h6w6): memory exhaustion in `io.netty:netty-codec-http3` (high).
> * [CVE-2026-48043](GHSA-c2gf-v879-257j): memory exhaustion in `io.netty:netty-codec-http2`.
>
> What's Changed
> --------------
>
> * Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by [`@​dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16836](https://redirect.github.com/netty/netty/pull/16836)
> * HTTP/2: Parse request-target path like Vert.x by [`@​yawkat`](https://github.com/yawkat) in [netty/netty#16810](https://redirect.github.com/netty/netty/pull/16810)
> * Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by [`@​netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16853](https://redirect.github.com/netty/netty/pull/16853)
> * FlowControlHandler: Suppress duplicate channelReadComplete after draining queue ([#15053](https://redirect.github.com/netty/netty/issues/15053)) by [`@​schiemon`](https://github.com/schiemon) in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837)
> * Pass maxAllocation to Brotli and Zstd decoders by [`@​fedinskiy`](https://github.com/fedinskiy) in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844)
> * Fix revapi warnings by [`@​chrisvest`](https://github.com/chrisvest) in [netty/netty#16885](https://redirect.github.com/netty/netty/pull/16885)
> * Fix SCTP and Redis tests by [`@​chrisvest`](https://github.com/chrisvest) in [netty/netty#16893](https://redirect.github.com/netty/netty/pull/16893)
> * Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by [`@​skyguard1`](https://github.com/skyguard1) in [netty/netty#16850](https://redirect.github.com/netty/netty/pull/16850)
> * Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by [`@​netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16890](https://redirect.github.com/netty/netty/pull/16890)
>
> New Contributors
> ----------------
>
> * [`@​schiemon`](https://github.com/schiemon) made their first contribution in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837)
> * [`@​fedinskiy`](https://github.com/fedinskiy) made their first contribution in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844)
>
> **Full Changelog**: <netty/netty@netty-4.2.14.Final...netty-4.2.15.Final>


Commits

* [`a41f7b2`](netty/netty@a41f7b2) [maven-release-plugin] prepare release netty-4.2.15.Final
* [`2394530`](netty/netty@2394530) Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remain...
* [`0bd1657`](netty/netty@0bd1657) Add maxWindowLog parameter to ZstdDecoder to bound memory allocation ([#16850](https://redirect.github.com/netty/netty/issues/16850))
* [`76291f5`](netty/netty@76291f5) Fix SCTP and Redis tests ([#16893](https://redirect.github.com/netty/netty/issues/16893))
* [`e067b6e`](netty/netty@e067b6e) Fix revapi warnings ([#16885](https://redirect.github.com/netty/netty/issues/16885))
* [`5a52600`](netty/netty@5a52600) Pass maxAllocation to Brotli and Zstd decoders ([#16844](https://redirect.github.com/netty/netty/issues/16844))
* [`541add0`](netty/netty@541add0) Merge commit from fork
* [`270800e`](netty/netty@270800e) Merge commit from fork
* [`3d45a1e`](netty/netty@3d45a1e) Merge commit from fork
* [`75127ca`](netty/netty@75127ca) Merge commit from fork
* Additional commits viewable in [compare view](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)
  
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
  
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot show  ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
mergify Bot added a commit to ArcadeData/arcadedb that referenced this pull request Jun 7, 2026
@mergify
chore(deps): bump io.netty:netty-all from 4.2.14.Final to 4.2.15.Fina…
f306abd 
…l [skip ci]

Bumps [io.netty:netty-all](https://github.com/netty/netty) from 4.2.14.Final to 4.2.15.Final.
Release notes

*Sourced from [io.netty:netty-all's releases](https://github.com/netty/netty/releases).*

> netty-4.2.15.Final
> ------------------
>
> Security fixes
> --------------
>
> * [CVE-2026-48059](GHSA-h2qv-fj59-j46j): memory exhaustion in `io.netty:netty-codec-haproxy` (high).
> * [CVE-2026-47691](GHSA-5pvg-856g-cp85): DNS cache poisoning in `io.netty:netty-resolver-dns` (high).
> * [CVE-2026-XXXXX](GHSA-563q-j3cm-6jxm): DDoS in `io.netty:netty-codec-http2`.
> * [CVE-2026-50011](GHSA-5w86-c3rq-vjj7): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-44250](GHSA-3244-j874-rhc2): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-44890](GHSA-6ghj-frrj-jjj3): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-50009](GHSA-cq4q-cv5g-r8q5): information disclosure and denial of service in `io.netty:netty-codec-classes-quic`.
> * [CVE-2026-44249](GHSA-3qp7-7mw8-wx86): IPv6 subnet filter bypass in `io.netty:netty-handler` (high).
> * [CVE-2026-50020](GHSA-hvcg-qmg6-jm4c): request smuggling in `io.netty:netty-codec-http`.
> * [CVE-2026-44892](GHSA-c2rx-5r8w-8xr2): memory exhaustion in `io.netty:netty-codec-http3` (high).
> * [CVE-2026-44893](GHSA-cc37-9q2j-3hfv): memory leak in `io.netty:netty-codec-haproxy` (high).
> * [CVE-2026-44894](GHSA-cmm3-54f8-px4j): traffic amplification in `io.netty:netty-codec-classes-quic` (high).
> * [CVE-2026-50010](GHSA-c653-97m9-rcg9): TLS hostname verification accidentally disabled in `io.netty:netty-handler` (high).
> * [CVE-2026-45673](GHSA-xmv7-r254-6q78): DNS cache poisoning in `io.netty:netty-resolver-dns`.
> * [CVE-2026-45416](GHSA-x4gw-5cx5-pgmh): excessive memory usage from SNIHandler in `io.netty:netty-handler` (high).
> * [CVE-2026-45536](GHSA-w573-9ffj-6ff9): file descriptor leak in `io.netty:netty-transport-native-epoll` and `io.netty:netty-transport-native-kqueue`.
> * [CVE-2026-45674](GHSA-676x-f7gg-47vc): DNS cache poisoning in `io.netty:netty-resolver-dns` (high).
> * [CVE-2026-46340](GHSA-5xrh-qmmq-w6ch): memory exhaustion in `io.netty:netty-transport-sctp` (high).
> * [CVE-2026-47244](GHSA-5x3r-wrvg-rp6q): denial of service in `io.netty:netty-codec-http2`.
> * [CVE-2026-48006](GHSA-6jv9-x5w9-2ccm): memory exhaustion in `io.netty:netty-codec-redis` (high).
> * [CVE-2026-48748](GHSA-4grm-h2qv-h6w6): memory exhaustion in `io.netty:netty-codec-http3` (high).
> * [CVE-2026-48043](GHSA-c2gf-v879-257j): memory exhaustion in `io.netty:netty-codec-http2`.
>
> What's Changed
> --------------
>
> * Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by [`@​dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16836](https://redirect.github.com/netty/netty/pull/16836)
> * HTTP/2: Parse request-target path like Vert.x by [`@​yawkat`](https://github.com/yawkat) in [netty/netty#16810](https://redirect.github.com/netty/netty/pull/16810)
> * Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by [`@​netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16853](https://redirect.github.com/netty/netty/pull/16853)
> * FlowControlHandler: Suppress duplicate channelReadComplete after draining queue ([#15053](https://redirect.github.com/netty/netty/issues/15053)) by [`@​schiemon`](https://github.com/schiemon) in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837)
> * Pass maxAllocation to Brotli and Zstd decoders by [`@​fedinskiy`](https://github.com/fedinskiy) in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844)
> * Fix revapi warnings by [`@​chrisvest`](https://github.com/chrisvest) in [netty/netty#16885](https://redirect.github.com/netty/netty/pull/16885)
> * Fix SCTP and Redis tests by [`@​chrisvest`](https://github.com/chrisvest) in [netty/netty#16893](https://redirect.github.com/netty/netty/pull/16893)
> * Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by [`@​skyguard1`](https://github.com/skyguard1) in [netty/netty#16850](https://redirect.github.com/netty/netty/pull/16850)
> * Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by [`@​netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16890](https://redirect.github.com/netty/netty/pull/16890)
>
> New Contributors
> ----------------
>
> * [`@​schiemon`](https://github.com/schiemon) made their first contribution in [netty/netty#16837](https://redirect.github.com/netty/netty/pull/16837)
> * [`@​fedinskiy`](https://github.com/fedinskiy) made their first contribution in [netty/netty#16844](https://redirect.github.com/netty/netty/pull/16844)
>
> **Full Changelog**: <netty/netty@netty-4.2.14.Final...netty-4.2.15.Final>


Commits

* [`a41f7b2`](netty/netty@a41f7b2) [maven-release-plugin] prepare release netty-4.2.15.Final
* [`2394530`](netty/netty@2394530) Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remain...
* [`0bd1657`](netty/netty@0bd1657) Add maxWindowLog parameter to ZstdDecoder to bound memory allocation ([#16850](https://redirect.github.com/netty/netty/issues/16850))
* [`76291f5`](netty/netty@76291f5) Fix SCTP and Redis tests ([#16893](https://redirect.github.com/netty/netty/issues/16893))
* [`e067b6e`](netty/netty@e067b6e) Fix revapi warnings ([#16885](https://redirect.github.com/netty/netty/issues/16885))
* [`5a52600`](netty/netty@5a52600) Pass maxAllocation to Brotli and Zstd decoders ([#16844](https://redirect.github.com/netty/netty/issues/16844))
* [`541add0`](netty/netty@541add0) Merge commit from fork
* [`270800e`](netty/netty@270800e) Merge commit from fork
* [`3d45a1e`](netty/netty@3d45a1e) Merge commit from fork
* [`75127ca`](netty/netty@75127ca) Merge commit from fork
* Additional commits viewable in [compare view](netty/netty@netty-4.2.14.Final...netty-4.2.15.Final)
  
[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility\_score?dependency-name=io.netty:netty-all&package-manager=maven&previous-version=4.2.14.Final&new-version=4.2.15.Final)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
  
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot show  ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@normanmaurer normanmaurer Awaiting requested review from normanmaurer

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

4.2.15.Final

Development

Successfully merging this pull request may close these issues.

2 participants

@chrisvest @netty-project-bot