Skip to content

fix(cve): bump scylladb driver to 4.19.2.0 — Stage 3 (CVE-2026-42583, CVE-2026-44249, CVE-2026-45416)#167

Merged
dkropachev merged 1 commit into
masterfrom
fix/cve-2026-42583-bump-driver-version
Jun 30, 2026
Merged

fix(cve): bump scylladb driver to 4.19.2.0 — Stage 3 (CVE-2026-42583, CVE-2026-44249, CVE-2026-45416)#167
dkropachev merged 1 commit into
masterfrom
fix/cve-2026-42583-bump-driver-version

Conversation

@nikagra

@nikagra nikagra commented May 22, 2026

Copy link
Copy Markdown
Contributor

Summary

Bumps scylladb.version from 4.19.0.9 to 4.19.2.0, which inherits the patched netty (4.1.135.Final) from the driver, making the temporary BOM override unnecessary.

CVEs addressed

CVE Severity CVSS Fixed In Root Fix PR
CVE-2026-42583 MEDIUM 6.5 netty 4.1.133.Final scylladb/java-driver#896
CVE-2026-44249 HIGH 8.1 netty 4.1.135.Final scylladb/java-driver#925
CVE-2026-45416 HIGH 7.5 netty 4.1.135.Final scylladb/java-driver#925

Changes

  1. scylladb.version: 4.19.0.94.19.2.0 — picks up driver with netty 4.1.135.Final
  2. Remove netty.version property + netty-bom import — no longer needed; the driver itself brings the correct netty version
  3. lz4-java: 1.10.11.11.0 — aligns with the version declared in the driver POM (<lz4.version>1.11.0</lz4.version> on scylla-4.x)

Verification

mvn dependency:tree -Dincludes=io.netty
# All io.netty artifacts should resolve to 4.1.135.Final

mvn dependency:tree -Dincludes=at.yawk.lz4
# lz4-java should resolve to 1.11.0

Relationship to other PRs

PR Stage Status
scylladb/java-driver#896 2 — root fix (CVE-2026-42583) Merged
scylladb/java-driver#925 2 — root fix (CVE-2026-44249, CVE-2026-45416) Merged
#165 1 — temporary netty-bom override (CVE-2026-42583) Superseded by #185
#185 1 — temporary netty-bom override (CVE-2026-44249, CVE-2026-45416) Merged
This PR 3 — consume fixed driver release Ready

Once this PR merges:

Closes #164, closes #184

@nikagra nikagra force-pushed the fix/cve-2026-42583-bump-driver-version branch from f60bd00 to d679c09 Compare June 15, 2026 18:11
@nikagra nikagra changed the title fix(cve): bump scylladb driver to 4.19.2.0 (netty 4.1.133.Final) — Stage 3 fix(cve): bump scylladb driver to 4.19.2.0 — Stage 3 (CVE-2026-42583, CVE-2026-44249, CVE-2026-45416) Jun 15, 2026
@nikagra nikagra force-pushed the fix/cve-2026-42583-bump-driver-version branch from d679c09 to 856c3d5 Compare June 29, 2026 14:35
@nikagra nikagra marked this pull request as ready for review June 29, 2026 14:36
Consume java-driver 4.19.2.0 which inherits the following fixes:

- CVE-2026-42583: netty-handler HTTP response splitting (fixed in 4.1.133.Final)
- CVE-2026-44249: netty-handler IPv6 subnet rule bypass (fixed in 4.1.135.Final)
- CVE-2026-45416: netty-handler SslClientHelloHandler DoS (fixed in 4.1.135.Final)

The driver 4.19.2.0 ships with netty 4.1.135.Final via scylladb/java-driver#925,
so the temporary netty-bom override added in #165 and #185 is no longer needed.

Also bumps lz4-java from 1.10.1 to 1.11.0 to match the driver POM.

Closes #164, closes #184
Supersedes: #165, #185 (Stage 1 overrides — safe to close)
Supersedes: Renovate PR #156 (lz4-java 1.10.1 → 1.11.0)
@nikagra nikagra force-pushed the fix/cve-2026-42583-bump-driver-version branch from 856c3d5 to fa0d892 Compare June 30, 2026 11:23
@nikagra nikagra requested a review from dkropachev June 30, 2026 13:16
@dkropachev dkropachev merged commit 9084845 into master Jun 30, 2026
8 checks passed
@nikagra nikagra deleted the fix/cve-2026-42583-bump-driver-version branch June 30, 2026 13:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

2 participants