Skip to content

OKAPI-1250: Sunflower: Vertx 4.5.28 fixing Netty vulns#1454

Merged
julianladisch merged 1 commit into
b6.2from
OKAPI-1250
Jun 23, 2026
Merged

OKAPI-1250: Sunflower: Vertx 4.5.28 fixing Netty vulns#1454
julianladisch merged 1 commit into
b6.2from
OKAPI-1250

Conversation

@julianladisch

Copy link
Copy Markdown
Contributor

https://folio-org.atlassian.net/browse/OKAPI-1250

For Sunflower (okapi b6.2) bump Vert.x from 4.5.27 to 4.5.28.

This transitively bumps Netty from 4.1.133.Final to 4.1.135.Final https://github.com/netty/netty/releases/tag/netty-4.1.135.Final fixing multiple security vulnerabilities:

  • CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
  • CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
  • CVE-2026-50560: DDoS in io.netty:netty-codec-http2.
  • CVE-2026-50011: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
  • CVE-2026-50020: request smuggling in io.netty:netty-codec-http.
  • CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
  • CVE-2026-50010: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
  • CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
  • CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
  • CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
  • CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
  • CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
  • CVE-2026-47244: denial of service in io.netty:netty-codec-http2.
  • CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

@julianladisch julianladisch requested review from a team and adamdickmeiss June 23, 2026 14:36
https://folio-org.atlassian.net/browse/OKAPI-1250

For Sunflower (okapi b6.2) bump Vert.x from 4.5.27 to 4.5.28.

This transitively bumps Netty from 4.1.133.Final to 4.1.135.Final
https://github.com/netty/netty/releases/tag/netty-4.1.135.Final
fixing multiple security vulnerabilities:

* CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
* CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
* CVE-2026-50560: DDoS in io.netty:netty-codec-http2.
* CVE-2026-50011: memory exhaustion in io.netty:netty-codec-redis (high).
* CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
* CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
* CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
* CVE-2026-50020: request smuggling in io.netty:netty-codec-http.
* CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
* CVE-2026-50010: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
* CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
* CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
* CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
* CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
* CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
* CVE-2026-47244: denial of service in io.netty:netty-codec-http2.
* CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).
* CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.
@sonarqubecloud

Copy link
Copy Markdown

@julianladisch julianladisch merged commit be6dde5 into b6.2 Jun 23, 2026
18 checks passed
@julianladisch julianladisch deleted the OKAPI-1250 branch June 23, 2026 15:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants