From fa0d8925d234d3d4642ce2c6902e74c75cbd2079 Mon Sep 17 00:00:00 2001 From: Mikita Hradovich Date: Mon, 15 Jun 2026 20:10:50 +0200 Subject: [PATCH] fix(cve): bump scylladb driver to 4.19.2.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Consume java-driver 4.19.2.0 which inherits the following fixes: - CVE-2026-42583: netty-handler HTTP response splitting (fixed in 4.1.133.Final) - CVE-2026-44249: netty-handler IPv6 subnet rule bypass (fixed in 4.1.135.Final) - CVE-2026-45416: netty-handler SslClientHelloHandler DoS (fixed in 4.1.135.Final) The driver 4.19.2.0 ships with netty 4.1.135.Final via scylladb/java-driver#925, so the temporary netty-bom override added in #165 and #185 is no longer needed. Also bumps lz4-java from 1.10.1 to 1.11.0 to match the driver POM. Closes #164, closes #184 Supersedes: #165, #185 (Stage 1 overrides — safe to close) Supersedes: Renovate PR #156 (lz4-java 1.10.1 → 1.11.0) --- pom.xml | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/pom.xml b/pom.xml index e2782cc..9b74649 100644 --- a/pom.xml +++ b/pom.xml @@ -18,10 +18,9 @@ 3.5.6 3.9.2 5.14.4 - 4.19.0.9 + 4.19.2.0 false - 4.1.135.Final 2.21.3 2.21 33.6.0-jre @@ -248,16 +247,6 @@ - - - io.netty - netty-bom - ${netty.version} - pom - import - com.fasterxml.jackson.core jackson-core @@ -373,7 +362,7 @@ at.yawk.lz4 lz4-java - 1.10.1 + 1.11.0