Bump Netty to 4.2.15.Final to patch DNS cache-poisoning CVEs#1423
Merged
Conversation
labkey-martyp
force-pushed
the
fb_netty_4_2_15
branch
from
3886931 to
3084ee7
Compare
…CVEs The OWASP dependency-check report flagged Netty 4.2.14.Final (pulled in transitively via azure-core-http-netty) with 22 active CVEs, including two CRITICAL (CVSS 10.0) DNS cache-poisoning issues in io.netty.resolver.dns.DnsResolveContext: CVE-2026-45674 (CNAME bailiwick validation) and CVE-2026-47691 (NS record bailiwick validation), plus 20 related HIGH/MEDIUM advisories (Redis/HAProxy memory leaks, HTTP/3 and QUIC issues, IPv6 subnet-filter bypass). All are fixed in Netty 4.2.15.Final. The forced versions in the root build.gradle resolutionStrategy interpolate nettyVersion, so this single bump moves all Netty submodules to the patched release.
labkey-martyp
force-pushed
the
fb_netty_4_2_15
branch
from
3084ee7 to
284a86c
Compare
labkey-adam
approved these changes
Jun 22, 2026
labkey-bpatel
approved these changes
Jun 22, 2026
labkey-bpatel
left a comment
labkey-bpatel
left a comment
Contributor
There was a problem hiding this comment.
Looks good!
We are already overriding Azure’s transitive Netty dependencies to use 4.2.14.Final, so updating that pin to 4.2.15.Final is simply a patch-level upgrade within the same Netty 4.2.x release line. Verified that no Azure/Graph SDK version updates are needed for this change.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rationale
The OWASP dependency-check report flagged Netty 4.2.14.Final (pulled in transitively via azure-core-http-netty) with 22 active CVEs, including two CRITICAL (CVSS 10.0) DNS cache-poisoning issues in
io.netty.resolver.dns.DnsResolveContext— CVE-2026-45674 (CNAME bailiwick validation) and CVE-2026-47691 (NS record bailiwick validation) — plus 20 related HIGH/MEDIUM advisories (Redis/HAProxy memory leaks, HTTP/3 and QUIC issues, IPv6 subnet-filter bypass). All are fixed in Netty 4.2.15.Final.Related Pull Requests
None.
Changes
nettyVersionfrom 4.2.14.Final to 4.2.15.Final ingradle.properties; the rootbuild.gradleresolutionStrategy interpolates this property, so all forced Netty submodules move to the patched release.