Bump netty from 4.1.121.Final to 4.1.124.Final

[cwperks]

Description

Bump netty from 4.1.121.Final to 4.1.124.Final

Check List

• Functionality includes testing.
• API changes companion pull request created, if applicable.
• Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[peterzhuamazon]

Adding @reta @andrross to co-review this one.
This will not make it to 3.2.0 as it is pretty new.
Still backport to 3.2 just in case. Thanks.

[github-actions]

✅ Gradle check result for b502c64: SUCCESS

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.85%. Comparing base (f81d75a) to head (b502c64).
⚠️ Report is 6 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #19103      +/-   ##
============================================
- Coverage     72.86%   72.85%   -0.01%     
- Complexity    69411    69412       +1     
============================================
  Files          5647     5647              
  Lines        319166   319188      +22     
  Branches      46165    46169       +4     
============================================
- Hits         232565   232550      -15     
- Misses        67779    67793      +14     
- Partials      18822    18845      +23     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[rursprung]

can this be done also for 2.19.x? scanners are reporting CVE-2025-58056 & CVE-2025-58057 on netty. however, the fix for those are only in 4.1.125.Final anyway, so an additional update is also needed on main

[StewartWBrown]

Agree with @rursprung - appearing in our scans too for the same vulnerabilities. Would be good to get this bumped to 4.1.125.Final if possible to clear these!

Had a brief closer look into this, and slightly different netty libraries are also present in openseach-ml, looks like version 4.1.118.Final coming in through software.amazon.awssdk - netty-nio-client (2.30.18)

Additionally in the opensearch-notifications plugin, looks like is coming through opensearch-remote-metadata-sdk-ddb-client -> which also contains software.amazon.awssdk - netty-nio-client (2.30.18)

Looks like a bump in the netty versions was included in a recently released software.amazon.awssdk - version 2.33.4 (release notes here)

[cwperks]

@rursprung @StewartWBrown , we will backport #19269 to 2.19.