Skip to content

[3.20] Bump to Vert.x 4.5.21 and Netty 4.1.127.Final #49868

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Sep 10, 2025
Merged

[3.20] Bump to Vert.x 4.5.21 and Netty 4.1.127.Final #49868

merged 4 commits into from
Sep 10, 2025
+106 −76

Conversation

jponge
Copy link
Member

@jponge jponge commented Sep 4, 2025
edited
Loading

This fixes Netty CVEs: CVE-2025-58057 and CVE-2025-58056

@quarkus-bot quarkus-bot bot changed the title Bump to Vert.x 4.5.21 and Netty 4.1.126.Final [3.20] Bump to Vert.x 4.5.21 and Netty 4.1.126.Final Sep 4, 2025
@quarkus-bot quarkus-bot
Copy link

quarkus-bot bot commented Sep 4, 2025

/cc @aloubyansky (3.20), @gastaldi (3.20), @gsmet (3.20), @jmartisk (3.20), @rsvoboda (3.20)

@quarkus-bot quarkus-bot bot added area/dependencies Pull requests that update a dependency file area/netty area/vertx labels Sep 4, 2025
gsmet
gsmet requested changes Sep 4, 2025
View reviewed changes
Copy link
Member

@gsmet gsmet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's make sure we have everything sorted out in #49867 first before merging this.

@quarkus-bot quarkus-bot

This comment has been minimized.

Sign in to view
@jponge jponge mentioned this pull request Sep 4, 2025
Merged
@quarkus-bot quarkus-bot

This comment has been minimized.

Sign in to view
@jponge jponge force-pushed the deps/vertx-4.5.21-3.20 branch from 077ee0b to ea0b8dd Compare September 8, 2025 13:14
@jponge
Copy link
Member Author

jponge commented Sep 8, 2025

I messed up with my branch

jponge and others added 4 commits September 8, 2025 15:17
@jponge
Bump to Vert.x 4.5.21 and Netty 4.1.126.Final
f495bbe 
This fixes Netty CVEs: CVE-2025-58057 and CVE-2025-58056
@gsmet @jponge
Implement authority(boolean real) in ForwardedServerRequestWrapper
3303f2a 
We override the authority here so we need to be extra careful.
@jponge @cescoffier
Ensure the full compressed payload is decoded
c8d9970 
Also fixes Vertx context being created in tests but never been cleared.

Co-authored-by: Clement Escoffier <[email protected]>
@jponge
Bump to Netty 4.1.127.Final
046b26e 
This fixes Netty/BouncyCastle issues.
@jponge jponge changed the title [3.20] Bump to Vert.x 4.5.21 and Netty 4.1.126.Final [3.20] Bump to Vert.x 4.5.21 and Netty 4.1.127.Final Sep 8, 2025
@jponge jponge force-pushed the deps/vertx-4.5.21-3.20 branch from ea0b8dd to 046b26e Compare September 8, 2025 13:19
@jponge
Copy link
Member Author

jponge commented Sep 8, 2025

@jmartisk this should be good, but you might want to squash the commits when it's good to merge

@quarkus-bot quarkus-bot
Copy link

quarkus-bot bot commented Sep 8, 2025

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit 046b26e.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

@marcelstoer
Copy link
Contributor

@jponge thanks for the updates, much appreciated! Would anyone care to explain how such fixes will find their way into RHBQ 3.20 releases? I previously tried through https://issues.redhat.com/projects/QUARKUS (using the corporate account) but got nowhere.

@jmartisk
Copy link
Contributor

jmartisk commented Sep 9, 2025

@jponge thanks for the updates, much appreciated! Would anyone care to explain how such fixes will find their way into RHBQ 3.20 releases? I previously tried through https://issues.redhat.com/projects/QUARKUS (using the corporate account) but got nowhere.

This PR will first get merged into the 3.20.3 community release, which will then be the base for the corresponding RHBQ release.

@marcelstoer
Copy link
Contributor

marcelstoer commented Sep 9, 2025
edited
Loading

This landing in 3.20.3 is important information, thanks. Should it be assigned to the 3.20.3 milestone? Or does this happen only once it's merged?

the base for the corresponding RHBQ release

Given the above, this for us means that there's no need waiting for a new RHBQ release that includes the Vert.x and Netty vulnerability fixes. RHBQ 3.20.3.GA is due only in a month. We'll now manage those dependencies manually.

@jmartisk
Copy link
Contributor

jmartisk commented Sep 9, 2025

Should it be assigned to the 3.20.3 milestone? Or does this happen only once it's merged?

Yes, that is exactly how we do it :)

@jmartisk jmartisk merged commit 03c128f into quarkusio:3.20 Sep 10, 2025
55 checks passed
@jmartisk jmartisk added this to the 3.20.3 milestone Sep 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gsmet gsmet gsmet requested changes

@jmartisk jmartisk jmartisk approved these changes

Assignees
No one assigned
Labels
area/dependencies Pull requests that update a dependency file area/graphql area/netty area/oidc area/smallrye area/tracing area/vertx triage/flaky-test
Projects
None yet
Milestone
3.20.3
Development

Successfully merging this pull request may close these issues.
4 participants
@jponge @marcelstoer @jmartisk @gsmet