From 0430ca5b6603ce3b179afebc3ec35092c1eb84ae Mon Sep 17 00:00:00 2001
From: Katherine Chen <katherine.chen@thetradedesk.com>
Date: Thu, 11 Jun 2026 15:29:36 +1000
Subject: [PATCH] UID2-7278: upgrade netty to 4.1.135.Final; extend
 CVE-2026-42577 expiry
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- pom.xml: netty.version 4.1.133.Final → 4.1.135.Final (fixes CVE-2026-44249,
  CVE-2026-45416 in netty-handler; CVE-2026-45674, CVE-2026-47691 in netty-resolver-dns)
- .trivyignore: extend CVE-2026-42577 expiry to 2026-09-11 (no 4.1.x fix yet)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .trivyignore | 2 +-
 pom.xml      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.trivyignore b/.trivyignore
index 8a67b60..f31b5ce 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -13,4 +13,4 @@ GHSA-72hv-8253-57qq exp:2026-09-01
 # gateway) so anonymous external attackers cannot reach the netty epoll socket directly;
 # LB-level connection limits and idle timeouts further cap the blast radius. CVSS impact is
 # Availability only (C:N/I:N/A:H). Tracking via UID2-7035; revisit on vert.x 5 migration.
-CVE-2026-42577 exp:2026-06-08
+CVE-2026-42577 exp:2026-09-11
diff --git a/pom.xml b/pom.xml
index 9015950..6b485ce 100644
--- a/pom.xml
+++ b/pom.xml
@@ -25,7 +25,7 @@
         <launcher.class>io.vertx.core.Launcher</launcher.class>
 
         <uid2-shared.version>11.4.16</uid2-shared.version>
-        <netty.version>4.1.133.Final</netty.version>
+        <netty.version>4.1.135.Final</netty.version>
         <image.version>${project.version}</image.version>
     </properties>