Bump to Vert.x 4.5.21 and Netty 4.1.127.Final #49867

jponge · 2025-09-04T07:35:00Z

This fixes Netty CVEs: CVE-2025-58057 and CVE-2025-58056

quarkus-bot · 2025-09-04T07:35:24Z

/cc @brunobat (opentelemetry), @radcortez (opentelemetry)

...c/test/java/io/quarkus/opentelemetry/runtime/tracing/intrumentation/vertx/VertxUtilTest.java

jponge · 2025-09-04T09:13:54Z

We have failures in JVM / native mode for some HTTP compression tests, see ./mvnw clean verify -f integration-tests/vertx-http-compressors/

jmartisk

I assume we also need to update the version in independent-projects/vertx-utils/pom.xml (is that the cause of the failure?)

jponge · 2025-09-04T09:27:50Z

Good catch @jmartisk, let me see if this caused a mis-alignment

jponge · 2025-09-04T09:28:52Z

It's a needed POM bump, but it doesn't solve the problem.

jponge · 2025-09-04T09:46:14Z

I've made aware @vietj and @geoand, I'm not sure if it's a test problem, a Quarkus problem, etc.

jponge · 2025-09-04T09:48:07Z

Also /cc @mkouba

cescoffier · 2025-09-04T10:24:31Z

Do you have a stack trace or something?

cescoffier · 2025-09-04T10:48:00Z

Ok, so, it's not nice.

When we use the Vert.x web client to retrieve the response, it got cut. It only does it when the compression use "deflate"

cescoffier · 2025-09-04T10:54:40Z

It cut just before \n\r\n\r.... - so definitely related to the netty commit.

cescoffier · 2025-09-04T11:05:42Z

Hum, every \n we have in the response, cut the response.

cescoffier · 2025-09-04T11:11:36Z

Someone would have to check, but according to https://w4ke.info/2025/06/18/funky-chunks.html, we may have an illegal test in the sense that it introduces "funky chunks".

I'm surprised, as we mostly only introduce \n, which should be fine.

cescoffier · 2025-09-04T11:14:32Z

Not sure actually - I've removed the line jump and still see cut content.

cescoffier · 2025-09-04T11:50:41Z

The content appears to be compressed correctly, but the issue arises when we decompress it in the test to verify if it matches the original content. We use the Netty API directly; I don't see anything odd so far.

jponge · 2025-09-04T12:03:27Z

Also what I'm looking at (but no expert in that area)

cescoffier · 2025-09-04T12:10:55Z

Ok, got it.

cescoffier · 2025-09-04T12:14:35Z

Apply the following:

Subject: [PATCH] Fix decompression
---
Index: integration-tests/vertx-http-compressors/app/src/test/java/io/quarkus/compressors/it/Testflow.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/integration-tests/vertx-http-compressors/app/src/test/java/io/quarkus/compressors/it/Testflow.java b/integration-tests/vertx-http-compressors/app/src/test/java/io/quarkus/compressors/it/Testflow.java
--- a/integration-tests/vertx-http-compressors/app/src/test/java/io/quarkus/compressors/it/Testflow.java	(revision 528649665e0f70e7890b44d6f30f0eaa0f8d1084)
+++ b/integration-tests/vertx-http-compressors/app/src/test/java/io/quarkus/compressors/it/Testflow.java	(date 1756987929779)
@@ -178,9 +178,9 @@
         if (algorithm != null && !"identity".equalsIgnoreCase(algorithm)) {
             final EmbeddedChannel channel;
             if ("gzip".equalsIgnoreCase(algorithm)) {
-                channel = new EmbeddedChannel(newZlibDecoder(ZlibWrapper.GZIP));
+                channel = new EmbeddedChannel(newZlibDecoder(ZlibWrapper.GZIP, 0));
             } else if ("deflate".equalsIgnoreCase(algorithm)) {
-                channel = new EmbeddedChannel(newZlibDecoder(ZlibWrapper.ZLIB));
+                channel = new EmbeddedChannel(newZlibDecoder(ZlibWrapper.ZLIB, 0));
             } else if ("br".equalsIgnoreCase(algorithm)) {
                 channel = new EmbeddedChannel(new BrotliDecoder());
             } else {
@@ -188,8 +188,18 @@
             }
             channel.writeInbound(Unpooled.copiedBuffer(payload));
             channel.finish();
-            final ByteBuf decompressed = channel.readInbound();
-            return decompressed.readCharSequence(decompressed.readableBytes(), StandardCharsets.UTF_8).toString();
+
+            // Read all output buffers - decompression might produce multiple buffers
+            final StringBuilder result = new StringBuilder();
+            ByteBuf decompressed;
+            while ((decompressed = channel.readInbound()) != null) {
+                try {
+                    result.append(decompressed.readCharSequence(decompressed.readableBytes(), StandardCharsets.UTF_8));
+                } finally {
+                    decompressed.release();
+                }
+            }
+            return result.toString();
         } else {
             return new String(payload, StandardCharsets.UTF_8);
         }

jponge · 2025-09-04T12:17:57Z

Let me check that + fix something else we discussed with @cescoffier

jponge · 2025-09-04T12:59:18Z

Let's have a green CI before backporting to #49869 and #49868

sberyozkin · 2025-09-04T16:01:09Z

bouncy-castle-fips-jsse test is failing, I'm in a co-working space right now, it expires in an hour, so it is unlikely I'll find anything now, will look later this evening. If this PR must get in ASAP, I suggest ignore this test failure and go ahead with the merge and open an issue assigned to me to check the test failure.

sberyozkin · 2025-09-04T16:40:28Z

The trace for the bouncycastle is here:

at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
2025-09-04T13:15:02.4517767Z 	Suppressed: java.lang.IllegalAccessException: class io.netty.handler.ssl.BouncyCastleAlpnSslUtils cannot access a member of class org.bouncycastle.jsse.provider.ProvSSLEngine with modifiers "public synchronized"
2025-09-04T13:15:02.4519077Z 		at java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674)
2025-09-04T13:15:02.4519682Z 		at java.base/java.lang.reflect.Method.invoke(Method.java:561)
2025-09-04T13:15:02.4521228Z 		at io.netty.handler.ssl.BouncyCastleAlpnSslUtils.<clinit>(BouncyCastleAlpnSslUtils.java:83)
2025-09-04T13:15:02.4522023Z 		at io.netty.handler.ssl.BouncyCastleAlpnSslEngine$1.accept(BouncyCastleAlpnSslEngine.java:35)
2025-09-04T13:15:02.4522805Z 		at io.netty.handler.ssl.BouncyCastleAlpnSslEngine$1.accept(BouncyCastleAlpnSslEngine.java:32)
2025-09-04T13:15:02.4523486Z 		at io.netty.handler.ssl.JdkAlpnSslEngine.<init>(JdkAlpnSslEngine.java:92)
2025-09-04T13:15:02.4524173Z 		at io.netty.handler.ssl.BouncyCastleAlpnSslEngine.<init>(BouncyCastleAlpnSslEngine.java:31)
2025-09-04T13:15:02.4525188Z 		at io.netty.handler.ssl.JdkAlpnApplicationProtocolNegotiator$AlpnWrapper.wrapSslEngine(JdkAlpnApplicationProtocolNegotiator.java:139)
2025-09-04T13:15:02.4526167Z 		at io.netty.handler.ssl.JdkSslContext.configureAndWrapEngine(JdkSslContext.java:383)
2025-09-04T13:15:02.4526823Z 		at io.netty.handler.ssl.JdkSslContext.newEngine(JdkSslContext.java:357)
2025-09-04T13:15:02.4527678Z 		at io.netty.handler.ssl.SslContext.newHandler(SslContext.java:1077)
2025-09-04T13:15:02.4528331Z 		at io.netty.handler.ssl.DelegatingSslContext.newHandler(DelegatingSslContext.java:100)
2025-09-04T13:15:02.4528958Z 		at io.netty.handler.ssl.SslContext.newHandler(SslContext.java:1072)
2025-09-04T13:15:02.4529849Z 		at io.vertx.core.net.impl.SslChannelProvider.createServerSslHandler(SslChannelProvider.java:160)
2025-09-04T13:15:02.4531072Z 		at io.vertx.core.net.impl.SslChannelProvider.createServerHandler(SslChannelProvider.java:151)
2025-09-04T13:15:02.4531861Z 		at io.vertx.core.http.impl.HttpServerWorker.configurePipeline(HttpServerWorker.java:132)
2025-09-04T13:15:02.4532562Z 		at io.vertx.core.http.impl.HttpServerWorker.accept(HttpServerWorker.java:125)
2025-09-04T13:15:02.4533372Z 		at io.vertx.core.http.impl.HttpServerWorker.accept(HttpServerWorker.java:49)
2025-09-04T13:15:02.4534109Z 		at io.vertx.core.net.impl.TCPServerBase.lambda$listen$6(TCPServerBase.java:297)
2025-09-04T13:15:02.4534896Z 		at io.vertx.core.net.impl.ServerChannelLoadBalancer.initChannel(ServerChannelLoadBalancer.java:61)
2025-09-04T13:15:02.4535746Z 		at io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129)
2025-09-04T13:15:02.4536583Z 		at io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112)
2025-09-04T13:15:02.4537796Z 		at io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:1130)
2025-09-04T13:15:02.4539002Z 		at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:558)
2025-09-04T13:15:02.4540089Z 		at io.netty.channel.DefaultChannelPipeline.access$100(DefaultChannelPipeline.java:45)
2025-09-04T13:15:02.4541006Z 		at io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1410)
2025-09-04T13:15:02.4541985Z 		at io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1064)
2025-09-04T13:15:02.4542962Z 		at io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:599)
2025-09-04T13:15:02.4543767Z 		at io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:513)
2025-09-04T13:15:02.4544572Z 		at io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:428)
2025-09-04T13:15:02.4545262Z 		at io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:485)
2025-09-04T13:15:02.4545975Z 		at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173)
2025-09-04T13:15:02.4546952Z 		at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:166)
2025-09-04T13:15:02.4547883Z 		at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472)
2025-09-04T13:15:02.4548603Z 		at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:569)
2025-09-04T13:15:02.4549255Z 		at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
2025-09-04T13:15:02.4549986Z 		at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
2025-09-04T13:15:02.4550675Z 		at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
2025-09-04T13:15:02.4551259Z 		at java.base/java.lang.Thread.run(Thread.java:840)
2025-09-04T13:15:02.4552053Z 	Suppressed: java.lang.IllegalStateException: java.lang.NullPointerException: Cannot invoke "java.lang.Class.getMethods()" because "intf" is null
2025-09-04T13:15:02.4553277Z 		at io.netty.handler.ssl.BouncyCastleAlpnSslUtils.setHandshakeApplicationProtocolSelector(BouncyCastleAlpnSslUtils.java:207)
2025-09-04T13:15:02.4554239Z 		at io.netty.handler.ssl.BouncyCastleAlpnSslEngine$1.accept(BouncyCastleAlpnSslEngine.java:35)
2025-09-04T13:15:02.4555028Z 		at io.netty.handler.ssl.BouncyCastleAlpnSslEngine$1.accept(BouncyCastleAlpnSslEngine.java:32)
2025-09-04T13:15:02.4555799Z 		at io.netty.handler.ssl.JdkAlpnSslEngine.<init>(JdkAlpnSslEngine.java:92)
2025-09-04T13:15:02.4556706Z 		at io.netty.handler.ssl.BouncyCastleAlpnSslEngine.<init>(BouncyCastleAlpnSslEngine.java:31)
2025-09-04T13:15:02.4557867Z 		at io.netty.handler.ssl.JdkAlpnApplicationProtocolNegotiator$AlpnWrapper.wrapSslEngine(JdkAlpnApplicationProtocolNegotiator.java:139)
2025-09-04T13:15:02.4558879Z 		at io.netty.handler.ssl.JdkSslContext.configureAndWrapEngine(JdkSslContext.java:383)
2025-09-04T13:15:02.4559592Z 		at io.netty.handler.ssl.JdkSslContext.newEngine(JdkSslContext.java:357)
2025-09-04T13:15:02.4560208Z 		at io.netty.handler.ssl.SslContext.newHandler(SslContext.java:1077)
2025-09-04T13:15:02.4560838Z 		at io.netty.handler.ssl.DelegatingSslContext.newHandler(DelegatingSslContext.java:100)
2025-09-04T13:15:02.4561496Z 		at io.netty.handler.ssl.SslContext.newHandler(SslContext.java:1072)
2025-09-04T13:15:02.4562226Z 		at io.vertx.core.net.impl.SslChannelProvider.createServerSslHandler(SslChannelProvider.java:160)
2025-09-04T13:15:02.4563123Z 		at io.vertx.core.net.impl.SslChannelProvider.createServerHandler(SslChannelProvider.java:151)
2025-09-04T13:15:02.4563975Z 		at io.vertx.core.http.impl.HttpServerWorker.configurePipeline(HttpServerWorker.java:132)
2025-09-04T13:15:02.4564686Z 		at io.vertx.core.http.impl.HttpServerWorker.accept(HttpServerWorker.java:125)
2025-09-04T13:15:02.4565325Z 		at io.vertx.core.http.impl.HttpServerWorker.accept(HttpServerWorker.java:49)
2025-09-04T13:15:02.4565961Z 		at io.vertx.core.net.impl.TCPServerBase.lambda$listen$6(TCPServerBase.java:297)
2025-09-04T13:15:02.4566712Z 		at io.vertx.core.net.impl.ServerChannelLoadBalancer.initChannel(ServerChannelLoadBalancer.java:61)
2025-09-04T13:15:02.4567627Z 		at io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129)
2025-09-04T13:15:02.4568294Z 		at io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112)
2025-09-04T13:15:02.4569113Z 		at io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:1130)
2025-09-04T13:15:02.4569978Z 		at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:558)
2025-09-04T13:15:02.4570710Z 		at io.netty.channel.DefaultChannelPipeline.access$100(DefaultChannelPipeline.java:45)
2025-09-04T13:15:02.4571498Z 		at io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1410)
2025-09-04T13:15:02.4572405Z 		at io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1064)
2025-09-04T13:15:02.4573556Z 		at io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:599)
2025-09-04T13:15:02.4574553Z 		at io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:513)
2025-09-04T13:15:02.4575200Z 		at io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:428)
2025-09-04T13:15:02.4575841Z 		at io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:485)
2025-09-04T13:15:02.4576503Z 		at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173)
2025-09-04T13:15:02.4577253Z 		at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:166)
2025-09-04T13:15:02.4578210Z 		at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472)
2025-09-04T13:15:02.4578885Z 		at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:569)
2025-09-04T13:15:02.4579525Z 		at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
2025-09-04T13:15:02.4580193Z 		at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
2025-09-04T13:15:02.4580845Z 		at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
2025-09-04T13:15:02.4581408Z 		at java.base/java.lang.Thread.run(Thread.java:840)
2025-09-04T13:15:02.4582015Z 	Caused by: java.lang.NullPointerException: Cannot invoke "java.lang.Class.getMethods()" because "intf" is null
2025-09-04T13:15:02.4582884Z 		at java.base/java.lang.reflect.Proxy$ProxyBuilder.referencedTypes(Proxy.java:744)
2025-09-04T13:15:02.4583477Z 		at java.base/java.lang.reflect.Proxy$ProxyBuilder.<init>(Proxy.java:645)
2025-09-04T13:15:02.4583954Z 		at java.base/java.lang.reflect.Proxy$ProxyBuilder.<init>(Proxy.java:656)
2025-09-04T13:15:02.4584558Z 		at java.base/java.lang.reflect.Proxy.lambda$getProxyConstructor$0(Proxy.java:429)
2025-09-04T13:15:02.4585351Z 		at java.base/jdk.internal.loader.AbstractClassLoaderValue$Memoizer.get(AbstractClassLoaderValue.java:329)
2025-09-04T13:15:02.4586281Z 		at java.base/jdk.internal.loader.AbstractClassLoaderValue.computeIfAbsent(AbstractClassLoaderValue.java:205)
2025-09-04T13:15:02.4587097Z 		at java.base/java.lang.reflect.Proxy.getProxyConstructor(Proxy.java:427)
2025-09-04T13:15:02.4587898Z 		at java.base/java.lang.reflect.Proxy.newProxyInstance(Proxy.java:1037)
2025-09-04T13:15:02.4588815Z 		at io.netty.handler.ssl.BouncyCastleAlpnSslUtils.setHandshakeApplicationProtocolSelector(BouncyCastleAlpnSslUtils.java:183)
2025-09-04T13:15:02.4589561Z 		... 36 more
2025-09-04T13:15:02.4589936Z 	Suppressed: org.bouncycastle.tls.TlsFatalAlert: handshake_failure(40)
2025-09-04T13:15:02.4590277Z 		... 135 more
2025-09-04T13:15:02.4590957Z 	Suppressed: java.lang.IllegalStateException: java.lang.NullPointerException: Cannot invoke "java.lang.Class.getMethods()" because "intf" is null
2025-09-04T13:15:02.4592163Z 		at io.netty.handler.ssl.BouncyCastleAlpnSslUtils.setHandshakeApplicationProtocolSelector(BouncyCastleAlpnSslUtils.java:207)
2025-09-04T13:15:02.4593180Z 		at io.netty.handler.ssl.BouncyCastleAlpnSslEngine$1.accept(BouncyCastleAlpnSslEngine.java:35)
2025-09-04T13:15:02.4593995Z 		at io.netty.handler.ssl.BouncyCastleAlpnSslEngine$1.accept(BouncyCastleAlpnSslEngine.java:32)
2025-09-04T13:15:02.4594697Z 		at io.netty.handler.ssl.JdkAlpnSslEngine.<init>(JdkAlpnSslEngine.java:92)
2025-09-04T13:15:02.4595382Z 		at io.netty.handler.ssl.BouncyCastleAlpnSslEngine.<init>(BouncyCastleAlpnSslEngine.java:31)
2025-09-04T13:15:02.4596423Z 		at io.netty.handler.ssl.JdkAlpnApplicationProtocolNegotiator$AlpnWrapper.wrapSslEngine(JdkAlpnApplicationProtocolNegotiator.java:139)

Specifically,

2025-09-04T13:15:02.4517767Z 	Suppressed: java.lang.IllegalAccessException: class io.netty.handler.ssl.BouncyCastleAlpnSslUtils cannot access a member of class org.bouncycastle.jsse.provider.ProvSSLEngine with modifiers "public synchronized"

I'm really not sure what can be done at the Quarkus level. Looks like some changes happened at the Netty level.

I'll try to check the history of changes later this evening

jponge · 2025-09-04T17:02:42Z

Not sure about this. I just pushed the test fix commit to the 3.20 / 3.15 backports, let's see how these branches do.

sberyozkin · 2025-09-04T20:24:17Z

I've opened netty/netty#15627

jponge · 2025-09-05T10:02:01Z

Discussion happening in netty/netty#15627 (comment)

sberyozkin · 2025-09-05T10:28:19Z

@holly-cummins Hi Holly, Julien confirmed the Netty code related to loading BouncyCastle classes (JSSE ones in particular) caused two Quarkus BC JSSE integrations tests failing. Can you please have a look at the linked Netty issue, if you can spot something that can clarify why the Netty BouncyCastle class loading related update caused the failure, then please comment

jponge · 2025-09-05T14:11:51Z

@holly-cummins We're all good, this has been confirmed as a Netty bug 👍

geoand · 2025-09-05T14:29:56Z

Nice work everyone!

sberyozkin · 2025-09-05T15:31:13Z

Thanks @jponge for independently confirming the regression with the local Netty build and working with Norman to verify his fix

jponge · 2025-09-05T16:19:40Z

My pleasure 😄 This is the magic of OSS (+ kudos Norman)

bom/application/pom.xml

This fixes Netty CVEs: CVE-2025-58057 and CVE-2025-58056

We override the authority here so we need to be extra careful.

Also fixes Vertx context being created in tests but never been cleared. Co-authored-by: Clement Escoffier <[email protected]>

This fixes Netty/BouncyCastle issues.

jponge · 2025-09-08T12:56:40Z

@cescoffier see the last commit (and PR title already updated)

This fixes Netty CVEs: CVE-2025-58057 and CVE-2025-58056 This is a backport of quarkusio#49867

quarkus-bot · 2025-09-08T16:02:08Z

Status for workflow `Quarkus CI`

This is the status report for running Quarkus CI on commit 8021e27.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.

jmartisk

Awesome, thanks a lot!

quarkus-bot bot added area/dependencies Pull requests that update a dependency file area/tracing labels Sep 4, 2025

jponge commented Sep 4, 2025

View reviewed changes

...c/test/java/io/quarkus/opentelemetry/runtime/tracing/intrumentation/vertx/VertxUtilTest.java Show resolved Hide resolved

This was referenced Sep 4, 2025

[3.15] Bump to Vert.x 4.5.21 and Netty 4.1.127.Final #49869

Merged

[3.20] Bump to Vert.x 4.5.21 and Netty 4.1.127.Final #49868

Merged

jmartisk requested changes Sep 4, 2025

View reviewed changes

jponge force-pushed the deps/vertx-4.5.21-main branch from feaf677 to 5286496 Compare September 4, 2025 09:29

quarkus-bot bot added the area/vertx label Sep 4, 2025

This comment has been minimized.

Sign in to view

quarkus-bot bot added the triage/flaky-test label Sep 4, 2025

sberyozkin mentioned this pull request Sep 4, 2025

Regression in BouncyCastleAlpnSslUtils starting from 4.1.125.Final netty/netty#15627

Closed

marcelstoer reviewed Sep 8, 2025

View reviewed changes

bom/application/pom.xml Outdated Show resolved Hide resolved

jponge changed the title ~~Bump to Vert.x 4.5.21 and Netty 4.1.126.Final~~ Bump to Vert.x 4.5.21 and Netty 4.1.127.Final Sep 8, 2025

jponge and others added 4 commits September 8, 2025 14:18

Bump to Vert.x 4.5.21 and Netty 4.1.126.Final

e75a328

This fixes Netty CVEs: CVE-2025-58057 and CVE-2025-58056

Implement authority(boolean real) in ForwardedServerRequestWrapper

7ca2b3f

We override the authority here so we need to be extra careful.

Ensure the full compressed payload is decoded

5cec148

Also fixes Vertx context being created in tests but never been cleared. Co-authored-by: Clement Escoffier <[email protected]>

Bump to Netty 4.1.127.Final

8021e27

This fixes Netty/BouncyCastle issues.

jponge force-pushed the deps/vertx-4.5.21-main branch from 258afe1 to 8021e27 Compare September 8, 2025 12:18

jmartisk added the triage/backport-3.26 label Sep 8, 2025

jponge added a commit to jponge/quarkus that referenced this pull request Sep 8, 2025

Bump to Vert.x 4.5.21 and Netty 4.1.127.Final

ea0b8dd

This fixes Netty CVEs: CVE-2025-58057 and CVE-2025-58056 This is a backport of quarkusio#49867

jponge requested a review from jmartisk September 8, 2025 15:26

jponge added the triage/waiting-for-ci Ready to merge when CI successfully finishes label Sep 8, 2025

jmartisk approved these changes Sep 8, 2025

View reviewed changes

jmartisk merged commit a7ce614 into quarkusio:main Sep 8, 2025
57 checks passed

quarkus-bot bot added this to the 3.28 - main milestone Sep 8, 2025

quarkus-bot bot removed the triage/waiting-for-ci Ready to merge when CI successfully finishes label Sep 8, 2025

jmartisk modified the milestones: 3.28 - main, 3.26.3 Sep 9, 2025

jmartisk removed the triage/backport-3.26 label Sep 9, 2025

Bump to Vert.x 4.5.21 and Netty 4.1.127.Final #49867

Bump to Vert.x 4.5.21 and Netty 4.1.127.Final #49867

Uh oh!

Conversation

jponge commented Sep 4, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

quarkus-bot bot commented Sep 4, 2025

Uh oh!

Uh oh!

jponge commented Sep 4, 2025

Uh oh!

jmartisk left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

jponge commented Sep 4, 2025

Uh oh!

jponge commented Sep 4, 2025

Uh oh!

jponge commented Sep 4, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jponge commented Sep 4, 2025

Uh oh!

cescoffier commented Sep 4, 2025

Uh oh!

cescoffier commented Sep 4, 2025

Uh oh!

cescoffier commented Sep 4, 2025

Uh oh!

cescoffier commented Sep 4, 2025

Uh oh!

cescoffier commented Sep 4, 2025

Uh oh!

cescoffier commented Sep 4, 2025

Uh oh!

cescoffier commented Sep 4, 2025

Uh oh!

jponge commented Sep 4, 2025

Uh oh!

cescoffier commented Sep 4, 2025

Uh oh!

cescoffier commented Sep 4, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jponge commented Sep 4, 2025

Uh oh!

jponge commented Sep 4, 2025

Uh oh!

sberyozkin commented Sep 4, 2025

Uh oh!

sberyozkin commented Sep 4, 2025

Uh oh!

This comment has been minimized.

jponge commented Sep 4, 2025

Uh oh!

sberyozkin commented Sep 4, 2025

Uh oh!

jponge commented Sep 5, 2025

Uh oh!

sberyozkin commented Sep 5, 2025

Uh oh!

jponge commented Sep 5, 2025

Uh oh!

geoand commented Sep 5, 2025

Uh oh!

sberyozkin commented Sep 5, 2025

Uh oh!

jponge commented Sep 5, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

jponge commented Sep 8, 2025

Uh oh!

quarkus-bot bot commented Sep 8, 2025 • edited by github-actions bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Status for workflow Quarkus CI

Uh oh!

jmartisk left a comment

jponge commented Sep 4, 2025 •

edited

Loading

jmartisk left a comment •

edited

Loading

jponge commented Sep 4, 2025 •

edited

Loading

cescoffier commented Sep 4, 2025 •

edited

Loading

jponge commented Sep 5, 2025 •

edited

Loading

quarkus-bot bot commented Sep 8, 2025 •

edited by github-actions bot

Loading

Status for workflow `Quarkus CI`