Skip to content

fix(security): Upgrade netty to 4.1.130.Final to address CVE-2025-67735#26862

Merged
nishithakbhaskaran merged 1 commit intoprestodb:masterfrom
ShahimSharafudeen:netty-codec-http-CVE-2025-67735
Jan 8, 2026
Merged

fix(security): Upgrade netty to 4.1.130.Final to address CVE-2025-67735#26862
nishithakbhaskaran merged 1 commit intoprestodb:masterfrom
ShahimSharafudeen:netty-codec-http-CVE-2025-67735

Conversation

@ShahimSharafudeen
Copy link
Copy Markdown
Contributor

@ShahimSharafudeen ShahimSharafudeen commented Dec 24, 2025
edited
Loading

Description

Upgrade Netty to 4.1.130.Final to address CVE-2025-67735

Motivation and Context

Impact

Test Plan

Contributor checklist

  • Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.
  • If adding new dependencies, verified they have an OpenSSF Scorecard score of 5.0 or higher (or obtained explicit TSC approval for lower scores).

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Changes
* Upgrade Netty to version 4.1.130.Final to address `CVE-2025-67735 <https://github.com/advisories/GHSA-84h7-rjj3-6jx4>`_.

@prestodb-ci prestodb-ci added the from:IBM PR from IBM label Dec 24, 2025
@ShahimSharafudeen ShahimSharafudeen marked this pull request as ready for review January 1, 2026 07:25
@ShahimSharafudeen ShahimSharafudeen requested a review from a team as a code owner January 1, 2026 07:25
@prestodb-ci prestodb-ci requested review from a team, BryanCutler and sh-shamsan and removed request for a team January 1, 2026 07:25
@ShahimSharafudeen ShahimSharafudeen force-pushed the netty-codec-http-CVE-2025-67735 branch from 33bc652 to 6ac72a7 Compare January 5, 2026 06:13
agrawalreetika
agrawalreetika reviewed Jan 5, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@agrawalreetika agrawalreetika left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR.
Why not upgrade to the latest 4.2.9Final version?

@ShahimSharafudeen
Copy link
Copy Markdown
Contributor Author

ShahimSharafudeen commented Jan 5, 2026

Thanks for the PR. Why not upgrade to the latest 4.2.9Final version?

Thanks for the review. The 4.2.x.Final release introduces a major Netty upgrade, while the CVE fix we needed is already included in the patch releases starting from 4.1.129.Final. To minimize risk and keep the change focused, I upgraded only to the patched 4.1.130.Final version as a quick fix.

BryanCutler
BryanCutler approved these changes Jan 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@BryanCutler BryanCutler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@steveburnett
Copy link
Copy Markdown
Contributor

steveburnett commented Jan 6, 2026

Thanks for the release note! Formatting nit:

== RELEASE NOTES ==

Security Changes
* Upgrade Netty to version 4.1.130.Final to address `CVE-2025-67735 <https://github.com/advisories/GHSA-84h7-rjj3-6jx4>`_.

@ShahimSharafudeen
Copy link
Copy Markdown
Contributor Author

ShahimSharafudeen commented Jan 7, 2026

Thanks for the release note! Formatting nit:

== RELEASE NOTES ==

Security Changes
* Upgrade Netty to version 4.1.130.Final to address `CVE-2025-67735 <https://github.com/advisories/GHSA-84h7-rjj3-6jx4>`_.

Thank you, @steveburnett, for the review. I have updated the release notes according to your feedback.

pratyakshsharma
pratyakshsharma approved these changes Jan 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@pratyakshsharma pratyakshsharma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you.

hantangwangd
hantangwangd approved these changes Jan 8, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@hantangwangd hantangwangd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @ShahimSharafudeen

@nishithakbhaskaran nishithakbhaskaran merged commit 52623a1 into prestodb:master Jan 8, 2026
111 of 113 checks passed
tdcmeehan pushed a commit to rdtr/presto that referenced this pull request Jan 14, 2026
@ShahimSharafudeen @tdcmeehan
fix(security): Upgrade netty to 4.1.130.Final to address CVE-2025-67735
2b49e7f 
… (prestodb#26862)

## Description
Upgrade Netty to 4.1.130.Final to address CVE-2025-67735

## Motivation and Context
<!---Why is this change required? What problem does it solve?-->
<!---If it fixes an open issue, please link to the issue here.-->

## Impact
<!---Describe any public API or user-facing feature change or any
performance impact-->

## Test Plan
<!---Please fill in how you tested your change-->

## Contributor checklist

- [ ] Please make sure your submission complies with our [contributing
guide](https://github.com/prestodb/presto/blob/master/CONTRIBUTING.md),
in particular [code
style](https://github.com/prestodb/presto/blob/master/CONTRIBUTING.md#code-style)
and [commit
standards](https://github.com/prestodb/presto/blob/master/CONTRIBUTING.md#commit-standards).
- [ ] PR description addresses the issue accurately and concisely. If
the change is non-trivial, a GitHub Issue is referenced.
- [ ] Documented new properties (with its default value), SQL syntax,
functions, or other functionality.
- [ ] If release notes are required, they follow the [release notes
guidelines](https://github.com/prestodb/presto/wiki/Release-Notes-Guidelines).
- [ ] Adequate tests were added if applicable.
- [ ] CI passed.
- [ ] If adding new dependencies, verified they have an [OpenSSF
Scorecard](https://securityscorecards.dev/#the-checks) score of 5.0 or
higher (or obtained explicit TSC approval for lower scores).

## Release Notes
Please follow [release notes
guidelines](https://github.com/prestodb/presto/wiki/Release-Notes-Guidelines)
and fill in the release notes below.

```
== RELEASE NOTES ==

Security Changes
* Upgrade Netty to version 4.1.130.Final to address `CVE-2025-67735 <https://github.com/advisories/GHSA-84h7-rjj3-6jx4>`_.
```
This was referenced Mar 31, 2026
Closed
Open
@prestodb-ci prestodb-ci mentioned this pull request Apr 1, 2026
Open
15 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BryanCutler BryanCutler BryanCutler approved these changes

@agrawalreetika agrawalreetika agrawalreetika approved these changes

@hantangwangd hantangwangd hantangwangd approved these changes

@pratyakshsharma pratyakshsharma pratyakshsharma approved these changes

@sh-shamsan sh-shamsan Awaiting requested review from sh-shamsan sh-shamsan was automatically assigned from prestodb/ibm-reviewers

Assignees

No one assigned

Labels

from:IBM PR from IBM

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@ShahimSharafudeen @steveburnett @BryanCutler @agrawalreetika @hantangwangd @pratyakshsharma @nishithakbhaskaran @prestodb-ci