From 284a86ca919c92796a88aae0c3ca4a6d4a9eee09 Mon Sep 17 00:00:00 2001
From: Marty Pradere <martyp@labkey.com>
Date: Mon, 22 Jun 2026 09:29:27 -0600
Subject: [PATCH] Bump Netty 4.2.14.Final to 4.2.15.Final to patch DNS
 cache-poisoning CVEs

The OWASP dependency-check report flagged Netty 4.2.14.Final (pulled in transitively via azure-core-http-netty) with 22 active CVEs, including two CRITICAL (CVSS 10.0) DNS cache-poisoning issues in io.netty.resolver.dns.DnsResolveContext: CVE-2026-45674 (CNAME bailiwick validation) and CVE-2026-47691 (NS record bailiwick validation), plus 20 related HIGH/MEDIUM advisories (Redis/HAProxy memory leaks, HTTP/3 and QUIC issues, IPv6 subnet-filter bypass). All are fixed in Netty 4.2.15.Final. The forced versions in the root build.gradle resolutionStrategy interpolate nettyVersion, so this single bump moves all Netty submodules to the patched release.
---
 gradle.properties | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gradle.properties b/gradle.properties
index 801faed103..2e14d27ce9 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -259,8 +259,8 @@ microsoftGraphVersion=6.65.0
 
 mssqlJdbcVersion=13.4.0.jre11
 
-# Netty - transitive dependency via azure-core-http-netty; force for CVE-2026-33871, CVE-2026-33870
-nettyVersion=4.2.14.Final
+# Netty - transitive dependency via azure-core-http-netty; force for CVE-2026-33871, CVE-2026-33870, plus CVE-2026-45674 and CVE-2026-47691 (and 20 related) fixed in 4.2.15.Final
+nettyVersion=4.2.15.Final
 # Reactor - transitive dependency via azure-core; force for version consistency across modules
 reactorCoreVersion=3.8.1