Bump io.netty:netty-transport-native-epoll from 4.1.133.Final to 4.1.135.Final in /hadoop-project

[dependabot]

Bumps io.netty:netty-transport-native-epoll from 4.1.133.Final to 4.1.135.Final.

Release notes

Sourced from io.netty:netty-transport-native-epoll's releases.

netty-4.1.135.Final

Security fixes

• CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
• CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-50560: DDoS in io.netty:netty-codec-http2.
• CVE-2026-50011: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
• CVE-2026-50020: request smuggling in io.netty:netty-codec-http.
• CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
• CVE-2026-50010: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
• CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
• CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
• CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
• CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
• CVE-2026-47244: denial of service in io.netty:netty-codec-http2.
• CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

• Auto-port 4.1: MQTT: Allow MQTT 5 CONNECT with password only by @​netty-project-bot in netty/netty#16834
• ChannelInitializer: correct misleading comment on exceptionCaught route by @​daguimu in netty/netty#16847
• HTTP/2: Parse request-target path like Vert.x (4.1 backport) by @​yawkat in netty/netty#16856
• HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted by @​normanmaurer in netty/netty#16861
• IpSubnetFilter: Correctly handle ipv6 by @​normanmaurer in netty/netty#16860
• Configurable bound on RedisArrayAggregator by @​normanmaurer in netty/netty#16858
• Redis: Limit decoded length by @​normanmaurer in netty/netty#16859
• DNS: Ensure query id is not predictible by @​normanmaurer in netty/netty#16870
• Wrapping plain trust manager silently disables hostname verification by @​normanmaurer in netty/netty#16868
• MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @​daguimu in netty/netty#16852
• Fix revapi warnings (#16885) by @​chrisvest in netty/netty#16892
• HAProxy: Reject HAProxyMessages with malformated TLV and not leak memory by @​normanmaurer in netty/netty#16866
• SSL: Use sane defaults as limits for the client hello length and timeout by @​normanmaurer in netty/netty#16871
• DNS: Only cache CNAME if part of the queried domain by @​normanmaurer in netty/netty#16873
• HTTP/2: Enforce max concurrent streams for misbehaving clients by @​normanmaurer in netty/netty#16876
• Dns: Insufficient Bailiwick Validation for NS Records by @​normanmaurer in netty/netty#16877
• HTTP2: DelegatingDecompressorFrameListener must release memory in all cases by @​normanmaurer in netty/netty#16880
• Pass maxAllocation to Brotli and Zstd decoders (#16844) by @​chrisvest in netty/netty#16886
• HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory by @​normanmaurer in netty/netty#16883
• Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @​netty-project-bot in netty/netty#16894
• HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs by @​normanmaurer in netty/netty#16881
• Epoll / Kqueue: Correctly handle receive of FD by @​normanmaurer in netty/netty#16872
• SCTP: Limit the number of inflight incomplete SCTP messages and the number of fragments by @​normanmaurer in netty/netty#16875
• Redis: Correctly release incomplete message on removal when using RedisArrayAggregator by @​normanmaurer in netty/netty#16878
• Redis: Limit the maximum number of nested arrays by @​normanmaurer in netty/netty#16882

Full Changelog: netty/netty@netty-4.1.134.Final...netty-4.1.135.Final

... (truncated)

Commits

• f05f765 [maven-release-plugin] prepare release netty-4.1.135.Final
• 728c98b Redis: Limit the maximum number of nested arrays (#16882)
• ced30ad Redis: Correctly release incomplete message on removal when using RedisArrayA...
• cef5395 SCTP: Limit the number of inflight incomplete SCTP messages and the number of...
• 652663c Epoll / Kqueue: Correctly handle receive of FD (#16872)
• bd6214f HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs (#16881)
• d7f9069 Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allo...
• b831454 HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory (#16883)
• 51260aa Pass maxAllocation to Brotli and Zstd decoders (#16844) (#16886)
• db6138b HTTP2: DelegatingDecompressorFrameListener must release memory in all cases (...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	30m 10s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+0 🆗	xmllint	0m 0s		xmllint was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s		The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
			_ trunk Compile Tests _
+1 💚	mvninstall	63m 19s		trunk passed
+1 💚	compile	0m 48s		trunk passed with JDK Ubuntu-21.0.11+10-1-24.04.2-Ubuntu
+1 💚	compile	0m 51s		trunk passed with JDK Ubuntu-17.0.19+10-1-24.04.2-Ubuntu
+1 💚	mvnsite	0m 54s		trunk passed
+1 💚	javadoc	0m 54s		trunk passed with JDK Ubuntu-21.0.11+10-1-24.04.2-Ubuntu
+1 💚	javadoc	0m 52s		trunk passed with JDK Ubuntu-17.0.19+10-1-24.04.2-Ubuntu
+1 💚	shadedclient	113m 32s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+1 💚	mvninstall	0m 17s		the patch passed
+1 💚	compile	0m 16s		the patch passed with JDK Ubuntu-21.0.11+10-1-24.04.2-Ubuntu
+1 💚	javac	0m 16s		the patch passed
+1 💚	compile	0m 17s		the patch passed with JDK Ubuntu-17.0.19+10-1-24.04.2-Ubuntu
+1 💚	javac	0m 17s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	mvnsite	0m 22s		the patch passed
+1 💚	javadoc	0m 19s		the patch passed with JDK Ubuntu-21.0.11+10-1-24.04.2-Ubuntu
+1 💚	javadoc	0m 21s		the patch passed with JDK Ubuntu-17.0.19+10-1-24.04.2-Ubuntu
+1 💚	shadedclient	44m 56s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	0m 22s		hadoop-project in the patch passed.
+1 💚	asflicense	0m 50s		The patch does not generate ASF License warnings.
		193m 19s

Subsystem	Report/Notes
Docker	ClientAPI=1.54 ServerAPI=1.54 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8538/1/artifact/out/Dockerfile
GITHUB PR	#8538
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint
uname	Linux b6331484191b 5.15.0-173-generic #183-Ubuntu SMP Fri Mar 6 13:29:34 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / 7e1c779
Default Java	Ubuntu-17.0.19+10-1-24.04.2-Ubuntu
Multi-JDK versions	/usr/lib/jvm/java-21-openjdk-amd64:Ubuntu-21.0.11+10-1-24.04.2-Ubuntu /usr/lib/jvm/java-17-openjdk-amd64:Ubuntu-17.0.19+10-1-24.04.2-Ubuntu
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8538/1/testReport/
Max. process+thread count	583 (vs. ulimit of 10000)
modules	C: hadoop-project U: hadoop-project
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8538/1/console
versions	git=2.43.0 maven=3.9.15
Powered by	Apache Yetus 0.14.1 https://yetus.apache.org

This message was automatically generated.