From 940daba6be236e7e9b4175b843271547851bd983 Mon Sep 17 00:00:00 2001
From: ramitg254 <ramitg254@gmail.com>
Date: Wed, 8 Oct 2025 11:57:13 +0530
Subject: [PATCH] HIVE-29253:bump netty version to 4.1.127.Final due to
 CVE-2025-58057 CVE-2025-58056

enforced netty version to transitive dependencies
---
 pom.xml                      | 12 +++++++++++-
 standalone-metastore/pom.xml | 22 ++++++++++++++++++++++
 storage-api/pom.xml          | 15 +++++++++++++++
 3 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 0b6e318a1dd3..94a4faa34320 100644
--- a/pom.xml
+++ b/pom.xml
@@ -191,7 +191,7 @@
     <mockito-core.version>5.17.0</mockito-core.version>
     <mockito-inline.version>5.2.0</mockito-inline.version>
     <mina.version>2.0.0-M5</mina.version>
-    <netty.version>4.1.116.Final</netty.version>
+    <netty.version>4.1.127.Final</netty.version>
     <netty3.version>3.10.5.Final</netty3.version>
     <!-- used by druid storage handler -->
     <pac4j-saml.version>4.5.8</pac4j-saml.version>
@@ -444,6 +444,16 @@
         <artifactId>netty-all</artifactId>
         <version>${netty.version}</version>
       </dependency>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-handler</artifactId>
+        <version>${netty.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-transport-native-epoll</artifactId>
+        <version>${netty.version}</version>
+      </dependency>
       <dependency>
         <groupId>jakarta.jms</groupId>
         <artifactId>jakarta.jms-api</artifactId>
diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml
index 7ae7e8200c27..607f1cf641a0 100644
--- a/standalone-metastore/pom.xml
+++ b/standalone-metastore/pom.xml
@@ -101,6 +101,7 @@
     <protoc.path>${env.PROTOC_PATH}</protoc.path>
     <io.grpc.version>1.72.0</io.grpc.version>
     <sqlline.version>1.9.0</sqlline.version>
+    <netty.version>4.1.127.Final</netty.version>
     <!-- HIVE-28992: only upgrade to newer than 3.25.0 if you tested the prompt -->
     <jline.version>3.25.0</jline.version>
     <ST4.version>4.0.4</ST4.version>
@@ -134,6 +135,27 @@
   </properties>
   <dependencyManagement>
     <dependencies>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-all</artifactId>
+        <version>${netty.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-handler</artifactId>
+        <version>${netty.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-transport-native-epoll</artifactId>
+        <version>${netty.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-transport-native-epoll</artifactId>
+        <version>${netty.version}</version>
+        <classifier>linux-x86_64</classifier>
+      </dependency>
       <dependency>
         <groupId>org.apache.orc</groupId>
         <artifactId>orc-core</artifactId>
diff --git a/storage-api/pom.xml b/storage-api/pom.xml
index 1868ea4006f4..e659f5d2c039 100644
--- a/storage-api/pom.xml
+++ b/storage-api/pom.xml
@@ -28,6 +28,7 @@
   <properties>
     <maven.compiler.source>21</maven.compiler.source>
     <maven.compiler.target>21</maven.compiler.target>
+    <netty.version>4.1.127.Final</netty.version>
     <guava.version>22.0</guava.version>
     <hadoop.version>3.4.1</hadoop.version>
     <junit.version>4.13.2</junit.version>
@@ -42,6 +43,20 @@
     <maven.surefire.plugin.version>3.5.3</maven.surefire.plugin.version>
     <project.build.outputTimestamp>2025-01-01T00:00:00Z</project.build.outputTimestamp>
   </properties>
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-handler</artifactId>
+        <version>${netty.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-transport-native-epoll</artifactId>
+        <version>${netty.version}</version>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
   <dependencies>
     <!-- compile inter-project -->
     <dependency>