Skip to content

fix(deps): bump netty-bom to 4.1.135.Final for CVE-2026-44249#28880

Merged
ulixius9 merged 2 commits into
mainfrom
fix/netty-cve-2026-44249
Jun 10, 2026
Merged

fix(deps): bump netty-bom to 4.1.135.Final for CVE-2026-44249#28880
ulixius9 merged 2 commits into
mainfrom
fix/netty-cve-2026-44249

Conversation

@manerow

@manerow manerow commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Fixes #28879

What

Bumps io.netty:netty-bom from 4.1.133.Final to 4.1.135.Final in the root pom.xml.

Why

GHSA-3qp7-7mw8-wx86 / CVE-2026-44249 (High, CVSS 8.1) in io.netty:netty-handler.

IpSubnetFilterRule.compareTo() performs a bitwise AND against networkAddress instead of subnetMask, allowing IPv6 subnet access-control rules to be bypassed by valid public IPs. Affected: <= 4.1.134.Final. First patched: 4.1.135.Final (latest on the 4.1.x line).

Notes

Patch-level bump within the API-stable 4.1.x line — bugfix/security only, no breaking changes. Flagged by the Collate release vuln scan; this fixes the standalone OpenMetadata distribution (OMD MySQL/Postgres images).

@manerow manerow added safe to test Add this label to run secure Github workflows on PRs To release Will cherry-pick this PR into the release branch backend labels Jun 9, 2026
@manerow manerow self-assigned this Jun 9, 2026
@manerow manerow added this to Shipping Jun 9, 2026
@manerow manerow removed this from Shipping Jun 9, 2026
@sonarqubecloud

sonarqubecloud Bot commented Jun 9, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed for 'open-metadata-ingestion'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@github-actions

github-actions Bot commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

🟡 Playwright Results — all passed (23 flaky)

✅ 4261 passed · ❌ 0 failed · 🟡 23 flaky · ⏭️ 88 skipped

Shard Passed Failed Flaky Skipped
🟡 Shard 1 299 0 2 4
🟡 Shard 2 800 0 6 9
🟡 Shard 3 803 0 5 8
🟡 Shard 4 839 0 4 12
🟡 Shard 5 720 0 1 47
🟡 Shard 6 800 0 5 8
🟡 23 flaky test(s) (passed on retry)
  • Features/EntityRenameConsolidation.spec.ts › Classification - rename then update description should preserve tags (shard 1, 1 retry)
  • Flow/Tour.spec.ts › Tour should work from help section (shard 1, 1 retry)
  • Features/DataQuality/DataQuality.spec.ts › TestCase filters (shard 2, 1 retry)
  • Features/DataQuality/TestCaseImportExportE2eFlow.spec.ts › Admin: Complete export-import-validate flow (shard 2, 1 retry)
  • Features/DataQuality/TestCaseImportExportE2eFlow.spec.ts › EditAll User: Complete export-import-validate flow (shard 2, 1 retry)
  • Features/DataQuality/TestCaseResultPermissions.spec.ts › User with only VIEW cannot PATCH results (shard 2, 1 retry)
  • Features/DomainTierCertificationVoting.spec.ts › DataProduct - UpVote and DownVote (shard 2, 1 retry)
  • Features/Glossary/GlossaryWorkflow.spec.ts › should display correct status badge color and icon (shard 2, 1 retry)
  • Features/IncidentManager.spec.ts › Next, Previous and page indicator (shard 3, 1 retry)
  • Features/RTL.spec.ts › Verify Following widget functionality (shard 3, 1 retry)
  • Features/Table.spec.ts › Table pagination with sorting should works (shard 3, 1 retry)
  • Features/Tasks/TaskNavigation.spec.ts › navigating to /table/TASK-XXXXX should show 404 (invalid URL pattern) (shard 3, 1 retry)
  • Flow/IngestionBot.spec.ts › Ingestion bot should be able to access domain specific domain (shard 3, 1 retry)
  • Flow/PlatformLineage.spec.ts › Verify Platform Lineage View (shard 4, 1 retry)
  • Pages/CustomProperties.spec.ts › Markdown (shard 4, 1 retry)
  • Pages/CustomProperties.spec.ts › Table (shard 4, 1 retry)
  • Pages/CustomProperties.spec.ts › Integer (shard 4, 1 retry)
  • Pages/ExplorePageRightPanel_KnowledgeCenter.spec.ts › Should remove user owner for knowledgeCenter (shard 5, 1 retry)
  • Pages/Lineage/DataAssetLineage.spec.ts › verify create lineage for entity - File (shard 6, 1 retry)
  • Pages/Lineage/LineageFilters.spec.ts › Verify lineage service type filter selection (shard 6, 1 retry)
  • Pages/Lineage/LineageFilters.spec.ts › Verify lineage schema filter selection (shard 6, 1 retry)
  • Pages/Lineage/LineageRightPanel.spec.ts › Verify custom properties tab IS visible for supported type: searchIndex (shard 6, 1 retry)
  • Pages/Lineage/PlatformLineage.spec.ts › Verify domain platform view (shard 6, 1 retry)

📦 Download artifacts

How to debug locally 
# Download playwright-test-results-<shard> artifact and unzip
npx playwright show-trace path/to/trace.zip    # view trace

@ulixius9 ulixius9 merged commit 14fba45 into main Jun 10, 2026
66 of 70 checks passed
@ulixius9 ulixius9 deleted the fix/netty-cve-2026-44249 branch June 10, 2026 04:11
@github-actions

github-actions Bot commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Changes have been cherry-picked to the 1.13 branch.

github-actions Bot pushed a commit that referenced this pull request Jun 10, 2026
@manerow
fix(deps): bump netty-bom to 4.1.135.Final for CVE-2026-44249 (#28880)
5d9e772 
* fix(deps): bump netty-bom to 4.1.135.Final for CVE-2026-44249

* chore: retrigger CI

(cherry picked from commit 14fba45)
@gitar-bot

gitar-bot Bot commented Jun 10, 2026

Copy link
Copy Markdown
Code Review ✅ Approved

Bumps netty-bom to 4.1.135.Final to mitigate CVE-2026-44249. No issues found.

Options

Display: compact → Showing less information.

Comment with these commands to change:

Compact 
gitar display:verbose

Was this helpful? React with 👍 / 👎 | Gitar

@github-actions

github-actions Bot commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Failed to cherry-pick changes to the 1.12.11 branch.
Please cherry-pick the changes manually.
You can find more details here.

mohityadav766 pushed a commit that referenced this pull request Jun 10, 2026
@manerow @mohityadav766
fix(deps): bump netty-bom to 4.1.135.Final for CVE-2026-44249 (#28880)
88ba624 
* fix(deps): bump netty-bom to 4.1.135.Final for CVE-2026-44249

* chore: retrigger CI

(cherry picked from commit 14fba45)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@harshach harshach harshach approved these changes

Assignees

@manerow manerow

Labels

backend safe to test Add this label to run secure Github workflows on PRs To release Will cherry-pick this PR into the release branch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bump netty-bom to 4.1.135.Final — CVE-2026-44249 IPv6 subnet-filter bypass in netty-handler

3 participants

@manerow @harshach @ulixius9