Bump the all group with 8 updates

[dependabot]

Bumps the all group with 8 updates:

Package	From	To
org.http4k:http4k-server-netty	6.50.0.0	6.53.0.0
ch.qos.logback:logback-classic	1.5.33	1.5.34
io.netty:netty-all	4.2.14.Final	4.2.15.Final
io.netty:netty-transport-native-kqueue	4.2.14.Final	4.2.15.Final
io.netty:netty-transport-native-epoll	4.2.14.Final	4.2.15.Final
io.netty:netty-transport-native-io_uring	4.2.14.Final	4.2.15.Final
org.jetbrains.kotlin.jvm	2.3.21	2.4.0
org.jetbrains.kotlin.plugin.serialization	2.3.21	2.4.0

Updates org.http4k:http4k-server-netty from 6.50.0.0 to 6.53.0.0

Release notes

Sourced from org.http4k:http4k-server-netty's releases.

6.53.0.0

Changelog:

• http4k-*: Upgrade versions including Kotlin to 2.4.0
• http4k-testing-webdriver: Http4kWebDriver supports multiple file upload H/T @​savagematt

6.52.0.0

Changelog:

• http4k-security-digest: [Break] ServerFilters.DigestAuth and DigestAuthProvider now can have a DigestAlgorithm enum (MD5 / SHA_256).
• http4k-ai-a2a-sdk: [Unlikely Break] PushNotificationSender.Http now takes a PushNotificationUrlPolicy.
• http4k-ai-mcp-client: [Unlikely Break] DiscoveredMcpOAuth rejects cross-origin resource_metadata and the legacy auth_server directive from WWW-Authenticate; discovery now falls through to .well-known/oauth-protected-resource at the resource origin.
• http4k-ai-mcp-x402: [Unlikely Break] X402ToolFilter and McpFilters.X402PaymentRequired now take a SettlementMode.
• http4k-api-jsonrpc: [Unlikely Break] RoutingJsonRpcHandler now caps batch requests at 100 elements; oversized batches are rejected with a single Invalid Request error instead of being processed.
• http4k-bridge-micronaut: [Unlikely Break] HttpRequest.asHttp4k() returns null for an unrecognised HTTP method (was IllegalArgumentException); the fallback controller responds with 501 Not Implemented in that case.
• http4k-connect-storage-core: [Unlikely Break] Storage.Disk now canonicalises and containment-checks the key parameter on get/set/remove; keys whose resolved path escapes the configured directory are silently treated as missing.
• http4k-connect-storage-http: [Unlikely Break] Storage.Http now URL-encodes the key before interpolating it into the request path.
• http4k-connect-storage-jdbc: [Fix] Storage.Jdbc now escapes LIKE metacharacters (%, _, \) in keyPrefix, so keySet("%")/removeAll("%") no longer over-match. Implemented via Exposed's LikePattern.ofLiteral.
• http4k-connect-storage-redis: [Fix] Storage.Redis now escapes glob metacharacters (*, ?, [, ], \) in keyPrefix, so keySet("*")/removeAll("*") no longer over-match.
• http4k-multipart: [Unlikely Break] Disk-spilled multipart parts (via DiskLocation.Temp/Permanent) are created with owner-only POSIX permissions where the underlying filesystem supports them.
• http4k-realtime-core: [Unlikely Break] InputStream.chunkedSseSequence() now caps the in-progress message buffer(10 MB by default).
• http4k-security-oauth: [Unlikely Break] AuthServerDiscovery.fromProtectedResource now requires the metadata resource to match the expected resource at a path-segment boundary,
• http4k-server-jetty: [Unlikely Break] WebSocket message aggregation is now capped at 10 MB.
• http4k-server-jetty*: [Unlikely Break] SSE event name and id are now CR/LF-stripped before being written to the wire (matching SseMessage.Event.toMessage()).
• http4k-server-jetty11: [Unlikely Break] WebSocket message aggregation is now capped at 10 MB.
• http4k-server-netty: [Unlikely Break] WebSocket message aggregation is now capped at 10 MB.
• http4k-server-undertow: [Unlikely Break] Default Undertow builder now caps request bodies at 10 MB.
• http4k-serverless-lambda: [Unlikely Break] ApiGatewayV1, ApplicationLoadBalancer, and ApiGatewayRest response adapters now also emit multiValueHeaders, preserving duplicate response headers (e.g. multiple Set-Cookie).
• http4k-webhook: [Unlikely Break] HmacSha256.Signer rejects a WebhookId containing the signing delimiter .; HmacSha256.Verifier returns false for the same.
• http4k-ai-mcp-sdk: [Fix] MCP transports now contain optional CorsPolicy to apply to traffic. Defaults to null to avoid breaking existing usages.
• http4k-ai-mcp-sdk: [Fix] DirectoryResources in Recursive mode no longer permits reading a sibling.
• http4k-connect-storage-core: [Fix] Storage.InMemory().removeAll(keyPrefix) now returns true only when at least one key was actually removed (was returning true whenever the map was non-empty, even if no keys matched the prefix).
• http4k-connect-storage-http: [Fix] Storage.Http().keySet(keyPrefix) no longer returns {""} when the server replies with an empty body; empty lines are filtered out.
• http4k-format-moshi-yaml: [Fix] SnakeYAML is now constructed with SafeConstructor instead of Constructor.
• http4k-multipart: [Fix] multipartIterator() now selects the boundary directive from Content-Type by name.
• http4k-multipart: [Fix] DiskLocation.Temp/Permanent no longer use the multipart filename as the on-disk temp-file prefix.
• http4k-multipart: [Fix] MultipartFormBody.from(...) now closes the underlying DiskLocation on parse failure.
• http4k-realtime-core: [Fix] SseMessage.Data.toMessage() and SseMessage.Event.toMessage() now safer.
• http4k-security-digest: [Fix] DigestCredential.fromHeader no longer throws on an Authorization header containing only the scheme; the request now receives the standard challenge instead of a 500.
• http4k-server-netty: [Fix] A WebSocket-upgrade request with a non-standard HTTP method no longer throws IllegalArgumentException.
• http4k-template-freemarker: [Fix] FreemarkerTemplates.safeConfiguration(...) now sets newBuiltinClassResolver = TemplateClassResolver.SAFER_RESOLVER and disables ?api
• http4k-wiretap: [Fix] MermaidDiagramView no longer renders captured Mermaid source with ?no_esc
• http4k-template-freemarker: Adds FreemarkerTemplates.safeConfiguration(...) factory.
• http4k-ai-a2a-sdk: Added PushNotificationUrlPolicy so urls can be validated.

6.51.0.0

Changelog:

• http4k-*: Upgrade versions
• http4k-server-netty: [Unlikely Break] Add websocket heartbeat monitor. H/T @​oharaandrew314
• http4k-security-digest: [Unlikely Break] DigestAuthReceiver to generate challenge response with correct URI. H/T @​oharaandrew314
• http4k-core: Adds a maxDecompressedSize: Long parameter to RequestFilters.GunZip, ResponseFilters.GunZip, ServerFilters.GZip, ServerFilters.GZipContentTypes, ClientFilters.GZip, ClientFilters.AcceptGZip, and the underlying Body.gunzippedStream.

Changelog

Sourced from org.http4k:http4k-server-netty's changelog.

v6.53.0.0

• http4k-*: Upgrade versions including Kotlin to 2.4.0
• http4k-testing-webdriver: Http4kWebDriver supports multiple file upload H/T @​savagematt

v6.52.0.0

• http4k-security-digest: [Break] ServerFilters.DigestAuth and DigestAuthProvider now can have a DigestAlgorithm enum (MD5 / SHA_256).
• http4k-ai-a2a-sdk: [Unlikely Break] PushNotificationSender.Http now takes a PushNotificationUrlPolicy.
• http4k-ai-mcp-client: [Unlikely Break] DiscoveredMcpOAuth rejects cross-origin resource_metadata and the legacy auth_server directive from WWW-Authenticate; discovery now falls through to .well-known/oauth-protected-resource at the resource origin.
• http4k-ai-mcp-x402: [Unlikely Break] X402ToolFilter and McpFilters.X402PaymentRequired now take a SettlementMode.
• http4k-api-jsonrpc: [Unlikely Break] RoutingJsonRpcHandler now caps batch requests at 100 elements; oversized batches are rejected with a single Invalid Request error instead of being processed.
• http4k-bridge-micronaut: [Unlikely Break] HttpRequest.asHttp4k() returns null for an unrecognised HTTP method (was IllegalArgumentException); the fallback controller responds with 501 Not Implemented in that case.
• http4k-connect-storage-core: [Unlikely Break] Storage.Disk now canonicalises and containment-checks the key parameter on get/set/remove; keys whose resolved path escapes the configured directory are silently treated as missing.
• http4k-connect-storage-http: [Unlikely Break] Storage.Http now URL-encodes the key before interpolating it into the request path.
• http4k-connect-storage-jdbc: [Fix] Storage.Jdbc now escapes LIKE metacharacters (%, _, \) in keyPrefix, so keySet("%")/removeAll("%") no longer over-match. Implemented via Exposed's LikePattern.ofLiteral.
• http4k-connect-storage-redis: [Fix] Storage.Redis now escapes glob metacharacters (*, ?, [, ], \) in keyPrefix, so keySet("*")/removeAll("*") no longer over-match.
• http4k-multipart: [Unlikely Break] Disk-spilled multipart parts (via DiskLocation.Temp/Permanent) are created with owner-only POSIX permissions where the underlying filesystem supports them.
• http4k-realtime-core: [Unlikely Break] InputStream.chunkedSseSequence() now caps the in-progress message buffer(10 MB by default).
• http4k-security-oauth: [Unlikely Break] AuthServerDiscovery.fromProtectedResource now requires the metadata resource to match the expected resource at a path-segment boundary,
• http4k-server-jetty: [Unlikely Break] WebSocket message aggregation is now capped at 10 MB.
• http4k-server-jetty*: [Unlikely Break] SSE event name and id are now CR/LF-stripped before being written to the wire (matching SseMessage.Event.toMessage()).
• http4k-server-jetty11: [Unlikely Break] WebSocket message aggregation is now capped at 10 MB.
• http4k-server-netty: [Unlikely Break] WebSocket message aggregation is now capped at 10 MB.
• http4k-server-undertow: [Unlikely Break] Default Undertow builder now caps request bodies at 10 MB.
• http4k-serverless-lambda: [Unlikely Break] ApiGatewayV1, ApplicationLoadBalancer, and ApiGatewayRest response adapters now also emit multiValueHeaders, preserving duplicate response headers (e.g. multiple Set-Cookie).
• http4k-webhook: [Unlikely Break] HmacSha256.Signer rejects a WebhookId containing the signing delimiter .; HmacSha256.Verifier returns false for the same.
• http4k-ai-mcp-sdk: [Fix] MCP transports now contain optional CorsPolicy to apply to traffic. Defaults to null to avoid breaking existing usages.
• http4k-ai-mcp-sdk: [Fix] DirectoryResources in Recursive mode no longer permits reading a sibling.
• http4k-connect-storage-core: [Fix] Storage.InMemory().removeAll(keyPrefix) now returns true only when at least one key was actually removed (was returning true whenever the map was non-empty, even if no keys matched the prefix).
• http4k-connect-storage-http: [Fix] Storage.Http().keySet(keyPrefix) no longer returns {""} when the server replies with an empty body; empty lines are filtered out.
• http4k-format-moshi-yaml: [Fix] SnakeYAML is now constructed with SafeConstructor instead of Constructor.
• http4k-multipart: [Fix] multipartIterator() now selects the boundary directive from Content-Type by name.
• http4k-multipart: [Fix] DiskLocation.Temp/Permanent no longer use the multipart filename as the on-disk temp-file prefix.
• http4k-multipart: [Fix] MultipartFormBody.from(...) now closes the underlying DiskLocation on parse failure.
• http4k-realtime-core: [Fix] SseMessage.Data.toMessage() and SseMessage.Event.toMessage() now safer.
• http4k-security-digest: [Fix] DigestCredential.fromHeader no longer throws on an Authorization header containing only the scheme; the request now receives the standard challenge instead of a 500.
• http4k-server-netty: [Fix] A WebSocket-upgrade request with a non-standard HTTP method no longer throws IllegalArgumentException.
• http4k-template-freemarker: [Fix] FreemarkerTemplates.safeConfiguration(...) now sets newBuiltinClassResolver = TemplateClassResolver.SAFER_RESOLVER and disables ?api
• http4k-wiretap: [Fix] MermaidDiagramView no longer renders captured Mermaid source with ?no_esc
• http4k-template-freemarker: Adds FreemarkerTemplates.safeConfiguration(...) factory.
• http4k-ai-a2a-sdk: Added PushNotificationUrlPolicy so urls can be validated.

v6.51.0.0

• http4k-*: Upgrade versions
• http4k-server-netty: [Unlikely Break] Add websocket heartbeat monitor. H/T @​oharaandrew314
• http4k-security-digest: [Unlikely Break] DigestAuthReceiver to generate challenge response with correct URI. H/T @​oharaandrew314
• http4k-core: Adds a maxDecompressedSize: Long parameter to RequestFilters.GunZip, ResponseFilters.GunZip, ServerFilters.GZip, ServerFilters.GZipContentTypes, ClientFilters.GZip, ClientFilters.AcceptGZip, and the underlying Body.gunzippedStream.

Commits

• afc30ca Release 6.53.0.0
• 6f5e3d0 CHANGELOG.md
• 197f61b CHANGELOG.md
• 06b56d4 Http4kWebDriver supports multiple file upload (#1557)
• 9f3bd2e CHANGELOG with Kotlin 2.4.0 upgrade entry
• 098ffec Upgrade to Kotlin 2.4.0
• f7203cc Release 6.52.0.0
• 4a1c2a0 General tidying
• 297cb97 General tidying
• cb62a56 Add PushNotificationUrlPolicy to enforce URL validation in push notification ...
• Additional commits viewable in compare view

Updates ch.qos.logback:logback-classic from 1.5.33 to 1.5.34

Release notes

Sourced from ch.qos.logback:logback-classic's releases.

Logback 1.5.34

2026-06-01 Release of logback version 1.5.34

• In case certain StackTraceElement values returned by the Throwable.getStackTrace method are null, StackTraceElementProxy substitutes a dummy instance instead of throwing an IllegalArgumentException. This resolves [issues #1040](qos-ch/logback#1040), reported by Naotsugu Kobayashi.

• HardenedObjectInputStream will now throw an InvalidClassException during deserialization attempts of Proxy classes. This change addresses potential deserialization whitelist bypass vulnerability reported by York Shen and registered as CVE-2026-10532.

• A bitwise identical binary of this version can be reproduced by building from source code at commit e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag v_1.5.34. This release was built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

Commits

• e62272a prepare release 1.5.34
• 1e9e926 add resolveProxyClassRejectsDynamicProxies unit test
• 2de5cbe added StackTraceElementProxyTest, minor edits to AGENTS.md
• 0e9b927 in case StackTraceElement is null use a substitute, fixing issues/1040
• f7a0654 prevent resolveProxyClass bypass
• 249b81f docs are no longer distributed
• 1c3b26a start work on 1.5.34-SNAPSHOT
• See full diff in compare view

Updates io.netty:netty-all from 4.2.14.Final to 4.2.15.Final

Release notes

Sourced from io.netty:netty-all's releases.

netty-4.2.15.Final

Security fixes

• CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
• CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2.
• CVE-2026-50011: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-50009: information disclosure and denial of service in io.netty:netty-codec-classes-quic.
• CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
• CVE-2026-50020: request smuggling in io.netty:netty-codec-http.
• CVE-2026-44892: memory exhaustion in io.netty:netty-codec-http3 (high).
• CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
• CVE-2026-44894: traffic amplification in io.netty:netty-codec-classes-quic (high).
• CVE-2026-50010: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
• CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
• CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
• CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
• CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
• CVE-2026-47244: denial of service in io.netty:netty-codec-http2.
• CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-48748: memory exhaustion in io.netty:netty-codec-http3 (high).
• CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

• Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by @​dreamlike-ocean in netty/netty#16836
• HTTP/2: Parse request-target path like Vert.x by @​yawkat in netty/netty#16810
• Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by @​netty-project-bot in netty/netty#16853
• FlowControlHandler: Suppress duplicate channelReadComplete after draining queue (#15053) by @​schiemon in netty/netty#16837
• Pass maxAllocation to Brotli and Zstd decoders by @​fedinskiy in netty/netty#16844
• Fix revapi warnings by @​chrisvest in netty/netty#16885
• Fix SCTP and Redis tests by @​chrisvest in netty/netty#16893
• Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @​skyguard1 in netty/netty#16850
• Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @​netty-project-bot in netty/netty#16890

New Contributors

• @​schiemon made their first contribution in netty/netty#16837
• @​fedinskiy made their first contribution in netty/netty#16844

Full Changelog: netty/netty@netty-4.2.14.Final...netty-4.2.15.Final

Commits

• a41f7b2 [maven-release-plugin] prepare release netty-4.2.15.Final
• 2394530 Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remain...
• 0bd1657 Add maxWindowLog parameter to ZstdDecoder to bound memory allocation (#16850)
• 76291f5 Fix SCTP and Redis tests (#16893)
• e067b6e Fix revapi warnings (#16885)
• 5a52600 Pass maxAllocation to Brotli and Zstd decoders (#16844)
• 541add0 Merge commit from fork
• 270800e Merge commit from fork
• 3d45a1e Merge commit from fork
• 75127ca Merge commit from fork
• Additional commits viewable in compare view

Updates io.netty:netty-transport-native-kqueue from 4.2.14.Final to 4.2.15.Final

Release notes

Sourced from io.netty:netty-transport-native-kqueue's releases.

netty-4.2.15.Final

Security fixes

• CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
• CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2.
• CVE-2026-50011: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-50009: information disclosure and denial of service in io.netty:netty-codec-classes-quic.
• CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
• CVE-2026-50020: request smuggling in io.netty:netty-codec-http.
• CVE-2026-44892: memory exhaustion in io.netty:netty-codec-http3 (high).
• CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
• CVE-2026-44894: traffic amplification in io.netty:netty-codec-classes-quic (high).
• CVE-2026-50010: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
• CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
• CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
• CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
• CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
• CVE-2026-47244: denial of service in io.netty:netty-codec-http2.
• CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-48748: memory exhaustion in io.netty:netty-codec-http3 (high).
• CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

• Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by @​dreamlike-ocean in netty/netty#16836
• HTTP/2: Parse request-target path like Vert.x by @​yawkat in netty/netty#16810
• Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by @​netty-project-bot in netty/netty#16853
• FlowControlHandler: Suppress duplicate channelReadComplete after draining queue (#15053) by @​schiemon in netty/netty#16837
• Pass maxAllocation to Brotli and Zstd decoders by @​fedinskiy in netty/netty#16844
• Fix revapi warnings by @​chrisvest in netty/netty#16885
• Fix SCTP and Redis tests by @​chrisvest in netty/netty#16893
• Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @​skyguard1 in netty/netty#16850
• Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @​netty-project-bot in netty/netty#16890

New Contributors

• @​schiemon made their first contribution in netty/netty#16837
• @​fedinskiy made their first contribution in netty/netty#16844

Full Changelog: netty/netty@netty-4.2.14.Final...netty-4.2.15.Final

Commits

• a41f7b2 [maven-release-plugin] prepare release netty-4.2.15.Final
• 2394530 Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remain...
• 0bd1657 Add maxWindowLog parameter to ZstdDecoder to bound memory allocation (#16850)
• 76291f5 Fix SCTP and Redis tests (#16893)
• e067b6e Fix revapi warnings (#16885)
• 5a52600 Pass maxAllocation to Brotli and Zstd decoders (#16844)
• 541add0 Merge commit from fork
• 270800e Merge commit from fork
• 3d45a1e Merge commit from fork
• 75127ca Merge commit from fork
• Additional commits viewable in compare view

Updates io.netty:netty-transport-native-epoll from 4.2.14.Final to 4.2.15.Final

Release notes

Sourced from io.netty:netty-transport-native-epoll's releases.

netty-4.2.15.Final

Security fixes

• CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
• CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2.
• CVE-2026-50011: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-50009: information disclosure and denial of service in io.netty:netty-codec-classes-quic.
• CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
• CVE-2026-50020: request smuggling in io.netty:netty-codec-http.
• CVE-2026-44892: memory exhaustion in io.netty:netty-codec-http3 (high).
• CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
• CVE-2026-44894: traffic amplification in io.netty:netty-codec-classes-quic (high).
• CVE-2026-50010: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
• CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
• CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
• CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
• CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
• CVE-2026-47244: denial of service in io.netty:netty-codec-http2.
• CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-48748: memory exhaustion in io.netty:netty-codec-http3 (high).
• CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

• Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by @​dreamlike-ocean in netty/netty#16836
• HTTP/2: Parse request-target path like Vert.x by @​yawkat in netty/netty#16810
• Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by @​netty-project-bot in netty/netty#16853
• FlowControlHandler: Suppress duplicate channelReadComplete after draining queue (#15053) by @​schiemon in netty/netty#16837
• Pass maxAllocation to Brotli and Zstd decoders by @​fedinskiy in netty/netty#16844
• Fix revapi warnings by @​chrisvest in netty/netty#16885
• Fix SCTP and Redis tests by @​chrisvest in netty/netty#16893
• Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @​skyguard1 in netty/netty#16850
• Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @​netty-project-bot in netty/netty#16890

New Contributors

• @​schiemon made their first contribution in netty/netty#16837
• @​fedinskiy made their first contribution in netty/netty#16844

Full Changelog: netty/netty@netty-4.2.14.Final...netty-4.2.15.Final

Commits

• a41f7b2 [maven-release-plugin] prepare release netty-4.2.15.Final
• 2394530 Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remain...
• 0bd1657 Add maxWindowLog parameter to ZstdDecoder to bound memory allocation (#16850)
• 76291f5 Fix SCTP and Redis tests (#16893)
• e067b6e Fix revapi warnings (#16885)
• 5a52600 Pass maxAllocation to Brotli and Zstd decoders (#16844)
• 541add0 Merge commit from fork
• 270800e Merge commit from fork
• 3d45a1e Merge commit from fork
• 75127ca Merge commit from fork
• Additional commits viewable in compare view

Updates io.netty:netty-transport-native-io_uring from 4.2.14.Final to 4.2.15.Final

Release notes

Sourced from io.netty:netty-transport-native-io_uring's releases.

netty-4.2.15.Final

Security fixes

• CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
• CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2.
• CVE-2026-50011: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-50009: information disclosure and denial of service in io.netty:netty-codec-classes-quic.
• CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
• CVE-2026-50020: request smuggling in io.netty:netty-codec-http.
• CVE-2026-44892: memory exhaustion in io.netty:netty-codec-http3 (high).
• CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
• CVE-2026-44894: traffic amplification in io.netty:netty-codec-classes-quic (high).
• CVE-2026-50010: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
• CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
• CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
• CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
• CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
• CVE-2026-47244: denial of service in io.netty:netty-codec-http2.
• CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-48748: memory exhaustion in io.netty:netty-codec-http3 (high).
• CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

• Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by @​dreamlike-ocean in netty/netty#16836
• HTTP/2: Parse request-target path like Vert.x by @​yawkat in netty/netty#16810
• Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by @​netty-project-bot in netty/netty#16853
• FlowControlHandler: Suppress duplicate channelReadComplete after draining queue (#15053) by @​schiemon in netty/netty#16837
• Pass maxAllocation to Brotli and Zstd decoders by @​fedinskiy in netty/netty#16844
• Fix revapi warnings by @​chrisvest in netty/netty#16885
• Fix SCTP and Redis tests by @​chrisvest in netty/netty#16893
• Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @​skyguard1 in netty/netty#16850
• Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @​netty-project-bot in netty/netty#16890

New Contributors

• @​schiemon made their first contribution in netty/netty#16837
• @​fedinskiy made their first contribution in netty/netty#16844

Full Changelog: netty/netty@netty-4.2.14.Final...netty-4.2.15.Final

Commits

• a41f7b2 [maven-release-plugin] prepare release netty-4.2.15.Final
• 2394530 Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remain...
• 0bd1657 Add maxWindowLog parameter to ZstdDecoder to bound memory allocation (#16850)
• 76291f5 Fix SCTP and Redis tests (#16893)
• e067b6e Fix revapi warnings (#16885)
• 5a52600 Pass maxAllocation to Brotli and Zstd decoders (#16844)
• 541add0 Merge commit from fork
• 270800e Merge commit from fork
• 3d45a1e Merge commit from fork
• 75127ca Merge commit from fork
• Additional commits viewable in compare view

Updates io.netty:netty-transport-native-kqueue from 4.2.14.Final to 4.2.15.Final

Release notes

Sourced from io.netty:netty-transport-native-kqueue's releases.

netty-4.2.15.Final

Security fixes

• CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
• CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2.
• CVE-2026-50011: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-50009: information disclosure and denial of service in io.netty:netty-codec-classes-quic.
• CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
• CVE-2026-50020: request smuggling in io.netty:netty-codec-http.
• CVE-2026-44892: memory exhaustion in io.netty:netty-codec-http3 (high).
• CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
• CVE-2026-44894: traffic amplification in io.netty:netty-codec-classes-quic (high).
• CVE-2026-50010: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
• CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
• CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
• CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
• CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
• CVE-2026-47244: denial of service in io.netty:netty-codec-http2.
• CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-48748: memory exhaustion in io.netty:netty-codec-http3 (high).
• CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

• Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by @​dreamlike-ocean in netty/netty#16836
• HTTP/2: Parse request-target path like Vert.x by @​yawkat in netty/netty#16810
• Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by @​netty-project-bot in netty/netty#16853
• FlowControlHandler: Suppress duplicate channelReadComplete after draining queue (#15053) by ...

  Description has been truncated

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.