sec: upgrade netty, commons-fileupload and pin grpc to patched versions#36548
sec: upgrade netty, commons-fileupload and pin grpc to patched versions#36548mbiuki wants to merge 5 commits into
Conversation
Fixes dependency vulnerabilities flagged in a customer security scan: - io.netty:* pins: 4.1.118.Final -> 4.1.136.Final (CVE-2025-55163, CVE-2025-58057) - commons-fileupload: 1.5 -> 1.6.0 (CVE-2025-48976) - io.grpc: import grpc-bom 1.82.2 ahead of langchain4j-bom so grpc-netty-shaded (transitive, was 1.71.0) bundles a patched netty commons-fileupload 1.6.0 removed the throws clause and raw Map from FileUploadBase.createItem, so the two legacy Liferay overrides are updated to match the new signature. Closes #36546 Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01JHg1W7beD4Z1yLoTJpyXss
|
Claude finished @mbiuki's task in 3m 44s —— View job PR Review: security dependency upgrades
New IssuesNo blocking issues.
Notes (non-blocking, looks correct)
SummaryClean, well-scoped security bump. The only thing worth doing before merge is a sanity check on the langchain4j/Vertex-AI Gemini path given the grpc 1.71→1.82 jump; everything else (netty family alignment, fileupload signature update, BOM ordering) is correct. Versions are added to · |
Trivy scan of the published image showed netty-codec-http/http2 (4.1.132) and netty-resolver-dns/codec-dns (4.1.112) arriving transitively with their own CVEs (CVE-2026-42579/42584/42587, CVE-2026-45674/47691, all fixed by 4.1.135.Final). Pin them alongside the six existing netty pins. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01JHg1W7beD4Z1yLoTJpyXss
|
Extended the netty fix based on a Trivy scan of the published image (
Resolution verified via 🤖 Generated with Claude Code |
Trivy/review follow-up: dependency:tree showed seven more io.netty artifacts arriving transitively at older versions than the pinned ten (netty-transport-native-epoll/kqueue and netty-transport-native-unix-common at 4.1.63.Final, netty-codec-socks and netty-handler-proxy at 4.1.118, netty-transport-classes-epoll at 4.1.130, netty-resolver-dns-classes-macos at 4.1.112) — version skew within the netty family risks runtime linkage errors on top of the unpatched CVEs. Importing io.netty:netty-bom:4.1.136.Final (before langchain4j-bom, same first-BOM-wins pattern as grpc-bom) aligns the entire family including native/classifier artifacts that individual pins don't cover, and moves netty-tcnative to its paired 2.0.78.Final. Verified: dependency:tree now resolves every io.netty 4.x artifact to 4.1.136.Final; ./mvnw install -pl :dotcms-core --am -DskipTests passes. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Follow-up on the review's netty-coverage item (pushed
Rather than growing the pin list, the commit replaces all individual netty pins with a single Verification: On the previous CI run's failures: only Postman Tests - Default actually failed (the other five red jobs were fail-fast cancellations). Its three assertion failures — bundle-delete message text, 'a second language must be present', and a block-editor body-format mismatch — don't touch netty/commons-fileupload/grpc code paths, and PR #36618 (which includes the same main merge) passed the identical suite this morning, so they look flaky/order-dependent. The fresh run on this push will confirm. 🤖 Generated with Claude Code |
|
✅ CI results on Full suite green: JVM unit tests, all Integration MainSuites (1a/1b/2a/2b/3a, Junit5), all Postman collections, Karate, and E2E Playwright. Worth noting: the Postman Tests - Default assertion failures from the previous run (bundle-delete message text, second-language presence, block-editor body format) did not reproduce on this run with the same test code — confirming they were flaky/order-dependent rather than related to the dependency upgrades. PR is now blocked only on review 🤖 Generated with Claude Code |
Proposed Changes
Remediates the dependency vulnerabilities from a customer security scan (helpdesk ticket 38243) that were verified as part of the dotCMS application stack. Full package-by-package classification is in the linked issue.
io.netty:*artifacts inbom/application/pom.xmlfrom 4.1.118.Final to 4.1.136.Final (CVE-2025-55163, CVE-2025-58057)commons-fileuploadfrom 1.5 to 1.6.0 (CVE-2025-48976)io.grpc:grpc-bom1.82.2 ahead oflangchain4j-bomso the transitivegrpc-netty-shaded(previously 1.71.0, bundles a vulnerable netty) resolves to a patched releasecreateItemoverrides to match the commons-fileupload 1.6.0 signature (Map<String, String>param, nothrows FileUploadException) — behavior unchanged, they only capture the uploaded filename into the sessionNot addressed here (documented in #36546):
jdom1.1.3 (needs jdom2 migration; required at runtime by WebDAV), Elasticsearch 7.10.2 client (deliberate Apache-2.0 pin, OpenSearch migration is the fix),cryptacular(not in core), and the ImageMagick/OpenEXR OS libraries (libvips dependencies in the Docker image, patched via image rebuilds).Checklist
./mvnw install -pl :dotcms-core --am -DskipTests -Ddocker.skip→ BUILD SUCCESSdependency:tree: netty-codec 4.1.136.Final, commons-fileupload 1.6.0, grpc-netty-shaded 1.82.2Closes #36546
🤖 Generated with Claude Code