(spark) branch master updated: [SPARK-56817][BUILD] Upgrade Netty to 4.2.13.Final

ptoth Wed, 13 May 2026 08:20:07 -0700

This is an automated email from the ASF dual-hosted git repository.

peter-toth pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/spark.git



The following commit(s) were added to refs/heads/master by this push:
     new 18bff2d53229 [SPARK-56817][BUILD] Upgrade Netty to 4.2.13.Final
18bff2d53229 is described below

commit 18bff2d532290251590f06f3a23a4a8873112b33
Author: YangJie <[email protected]>
AuthorDate: Wed May 13 17:19:10 2026 +0200

    [SPARK-56817][BUILD] Upgrade Netty to 4.2.13.Final
    
    ### What changes were proposed in this pull request?
    This PR upgrades `Netty` to 4.2.13.Final.
    
    ### Why are the changes needed?
    This version includes the 11 CVE fixes:
    
    - 
[CVE-2026-42586](https://github.com/netty/netty/security/advisories/GHSA-rgrr-p7gp-5xj7)
 (netty-codec-redis)
    - 
[CVE-2026-42578](https://github.com/netty/netty/security/advisories/GHSA-45q3-82m4-75jr)
 (netty-handler-proxy)
    - 
[CVE-2026-42577](https://github.com/netty/netty/security/advisories/GHSA-rwm7-x88c-3g2p)
 (netty-transport-native-epoll)
    - 
[CVE-2026-42587](https://github.com/netty/netty/security/advisories/GHSA-f6hv-jmp6-3vwv)
 (netty-codec-http, netty-codec-http2)
    - 
[CVE-2026-41417](https://github.com/netty/netty/security/advisories/GHSA-v8h7-rr48-vmmv)
 (netty-codec-http)
    - 
[CVE-2026-42581](https://github.com/netty/netty/security/advisories/GHSA-xxqh-mfjm-7mv9)
 (netty-codec-http)
    - 
[CVE-2026-42580](https://github.com/netty/netty/security/advisories/GHSA-m4cv-j2px-7723)
 (netty-codec-http)
    - 
[CVE-2026-42585](https://github.com/netty/netty/security/advisories/GHSA-38f8-5428-x5cv)
 (netty-codec-http)
    - 
[CVE-2026-42579](https://github.com/netty/netty/security/advisories/GHSA-cm33-6792-r9fm)
 (netty-codec-dns)
    - 
[CVE-2026-42582](https://github.com/netty/netty/security/advisories/GHSA-2c5c-chwr-9hqw)
 (netty-codec-http3)
    - 
[CVE-2026-42583](https://github.com/netty/netty/security/advisories/GHSA-mj4r-2hfc-f8p6)
 (netty-codec, netty-codec-compression)
    - 
[CVE-2026-42584](https://github.com/netty/netty/security/advisories/GHSA-57rv-r2g8-2cj3)
 (netty-codec-http)
    - 
[CVE-2026-44248](https://github.com/netty/netty/security/advisories/GHSA-jfg9-48mv-9qgx)
 (netty-codec-mqtt)
    
    At least the following issues may have affected Apache Spark:
    - https://github.com/apache/spark/security/dependabot/187
    
    The full release notes as follows:
    - https://netty.io/news/2026/05/04/4-2-13-Final.html
    
    ### Does this PR introduce _any_ user-facing change?
    No
    
    ### How was this patch tested?
    - Pass Github Actions
    
    ### Was this patch authored or co-authored using generative AI tooling?
    No
    
    Closes #55737 from LuciferYang/netty-4.2.13.
    
    Authored-by: YangJie <[email protected]>
    Signed-off-by: Peter Toth <[email protected]>
---
 dev/deps/spark-deps-hadoop-3-hive-2.3 | 46 +++++++++++++++++------------------
 pom.xml                               |  2 +-
 2 files changed, 24 insertions(+), 24 deletions(-)

diff --git a/dev/deps/spark-deps-hadoop-3-hive-2.3 
b/dev/deps/spark-deps-hadoop-3-hive-2.3
index afdba1990bc8..7c182a16d8d7 100644
--- a/dev/deps/spark-deps-hadoop-3-hive-2.3
+++ b/dev/deps/spark-deps-hadoop-3-hive-2.3
@@ -196,35 +196,35 @@ metrics-jmx/4.2.37//metrics-jmx-4.2.37.jar
 metrics-json/4.2.37//metrics-json-4.2.37.jar
 metrics-jvm/4.2.37//metrics-jvm-4.2.37.jar
 minlog/1.3.0//minlog-1.3.0.jar
-netty-all/4.2.12.Final//netty-all-4.2.12.Final.jar
-netty-buffer/4.2.12.Final//netty-buffer-4.2.12.Final.jar
-netty-codec-base/4.2.12.Final//netty-codec-base-4.2.12.Final.jar
-netty-codec-compression/4.2.12.Final//netty-codec-compression-4.2.12.Final.jar
-netty-codec-dns/4.2.12.Final//netty-codec-dns-4.2.12.Final.jar
-netty-codec-http/4.2.12.Final//netty-codec-http-4.2.12.Final.jar
-netty-codec-http2/4.2.12.Final//netty-codec-http2-4.2.12.Final.jar
-netty-codec-socks/4.2.12.Final//netty-codec-socks-4.2.12.Final.jar
-netty-codec/4.2.12.Final//netty-codec-4.2.12.Final.jar
-netty-common/4.2.12.Final//netty-common-4.2.12.Final.jar
-netty-handler-proxy/4.2.12.Final//netty-handler-proxy-4.2.12.Final.jar
-netty-handler/4.2.12.Final//netty-handler-4.2.12.Final.jar
-netty-resolver-dns/4.2.12.Final//netty-resolver-dns-4.2.12.Final.jar
-netty-resolver/4.2.12.Final//netty-resolver-4.2.12.Final.jar
+netty-all/4.2.13.Final//netty-all-4.2.13.Final.jar
+netty-buffer/4.2.13.Final//netty-buffer-4.2.13.Final.jar
+netty-codec-base/4.2.13.Final//netty-codec-base-4.2.13.Final.jar
+netty-codec-compression/4.2.13.Final//netty-codec-compression-4.2.13.Final.jar
+netty-codec-dns/4.2.13.Final//netty-codec-dns-4.2.13.Final.jar
+netty-codec-http/4.2.13.Final//netty-codec-http-4.2.13.Final.jar
+netty-codec-http2/4.2.13.Final//netty-codec-http2-4.2.13.Final.jar
+netty-codec-socks/4.2.13.Final//netty-codec-socks-4.2.13.Final.jar
+netty-codec/4.2.13.Final//netty-codec-4.2.13.Final.jar
+netty-common/4.2.13.Final//netty-common-4.2.13.Final.jar
+netty-handler-proxy/4.2.13.Final//netty-handler-proxy-4.2.13.Final.jar
+netty-handler/4.2.13.Final//netty-handler-4.2.13.Final.jar
+netty-resolver-dns/4.2.13.Final//netty-resolver-dns-4.2.13.Final.jar
+netty-resolver/4.2.13.Final//netty-resolver-4.2.13.Final.jar
 
netty-tcnative-boringssl-static/2.0.77.Final/linux-aarch_64/netty-tcnative-boringssl-static-2.0.77.Final-linux-aarch_64.jar
 
netty-tcnative-boringssl-static/2.0.77.Final/linux-x86_64/netty-tcnative-boringssl-static-2.0.77.Final-linux-x86_64.jar
 
netty-tcnative-boringssl-static/2.0.77.Final/osx-aarch_64/netty-tcnative-boringssl-static-2.0.77.Final-osx-aarch_64.jar
 
netty-tcnative-boringssl-static/2.0.77.Final/osx-x86_64/netty-tcnative-boringssl-static-2.0.77.Final-osx-x86_64.jar
 
netty-tcnative-boringssl-static/2.0.77.Final/windows-x86_64/netty-tcnative-boringssl-static-2.0.77.Final-windows-x86_64.jar
 netty-tcnative-classes/2.0.77.Final//netty-tcnative-classes-2.0.77.Final.jar
-netty-transport-classes-epoll/4.2.12.Final//netty-transport-classes-epoll-4.2.12.Final.jar
-netty-transport-classes-kqueue/4.2.12.Final//netty-transport-classes-kqueue-4.2.12.Final.jar
-netty-transport-native-epoll/4.2.12.Final/linux-aarch_64/netty-transport-native-epoll-4.2.12.Final-linux-aarch_64.jar
-netty-transport-native-epoll/4.2.12.Final/linux-riscv64/netty-transport-native-epoll-4.2.12.Final-linux-riscv64.jar
-netty-transport-native-epoll/4.2.12.Final/linux-x86_64/netty-transport-native-epoll-4.2.12.Final-linux-x86_64.jar
-netty-transport-native-kqueue/4.2.12.Final/osx-aarch_64/netty-transport-native-kqueue-4.2.12.Final-osx-aarch_64.jar
-netty-transport-native-kqueue/4.2.12.Final/osx-x86_64/netty-transport-native-kqueue-4.2.12.Final-osx-x86_64.jar
-netty-transport-native-unix-common/4.2.12.Final//netty-transport-native-unix-common-4.2.12.Final.jar
-netty-transport/4.2.12.Final//netty-transport-4.2.12.Final.jar
+netty-transport-classes-epoll/4.2.13.Final//netty-transport-classes-epoll-4.2.13.Final.jar
+netty-transport-classes-kqueue/4.2.13.Final//netty-transport-classes-kqueue-4.2.13.Final.jar
+netty-transport-native-epoll/4.2.13.Final/linux-aarch_64/netty-transport-native-epoll-4.2.13.Final-linux-aarch_64.jar
+netty-transport-native-epoll/4.2.13.Final/linux-riscv64/netty-transport-native-epoll-4.2.13.Final-linux-riscv64.jar
+netty-transport-native-epoll/4.2.13.Final/linux-x86_64/netty-transport-native-epoll-4.2.13.Final-linux-x86_64.jar
+netty-transport-native-kqueue/4.2.13.Final/osx-aarch_64/netty-transport-native-kqueue-4.2.13.Final-osx-aarch_64.jar
+netty-transport-native-kqueue/4.2.13.Final/osx-x86_64/netty-transport-native-kqueue-4.2.13.Final-osx-x86_64.jar
+netty-transport-native-unix-common/4.2.13.Final//netty-transport-native-unix-common-4.2.13.Final.jar
+netty-transport/4.2.13.Final//netty-transport-4.2.13.Final.jar
 objenesis/3.5//objenesis-3.5.jar
 okhttp/3.12.12//okhttp-3.12.12.jar
 okio/1.17.6//okio-1.17.6.jar
diff --git a/pom.xml b/pom.xml
index fd55b9b631c2..1d2b847a2f8f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -220,7 +220,7 @@
             SPARK-53327 workaround should be reverted.
      -->
     <datasketches.version>6.2.0</datasketches.version>
-    <netty.version>4.2.12.Final</netty.version>
+    <netty.version>4.2.13.Final</netty.version>
     <netty-tcnative.version>2.0.77.Final</netty-tcnative.version>
     <icu4j.version>78.3</icu4j.version>
     <junit.version>6.0.3</junit.version>


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

(spark) branch master updated: [SPARK-56817][BUILD] Upgrade Netty to 4.2.13.Final

Reply via email to