From 5013e2e432a62e60d863f0f3cc6343230aa32c8b Mon Sep 17 00:00:00 2001
From: Hazmi <ialhazmim@gmail.com>
Date: Mon, 25 Nov 2024 13:03:39 +0300
Subject: [PATCH] Upgrade netty dependencies to address CVE-2024-47535

Upgrade the netty dependencies to resolve CVE-2024-47535
If implemented this will:
Upgrade the netty dependencies to 4.1.115.Final
---
 pom.xml                    | 11 ++++++++---
 redis-hbo-provider/pom.xml |  4 ----
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/pom.xml b/pom.xml
index 9428af89d47f9..ee4920c084624 100644
--- a/pom.xml
+++ b/pom.xml
@@ -82,6 +82,7 @@
         <dep.avro.version>1.11.4</dep.avro.version>
         <dep.commons.compress.version>1.26.2</dep.commons.compress.version>
         <dep.protobuf-java.version>3.25.5</dep.protobuf-java.version>
+        <dep.netty.version>4.1.115.Final</dep.netty.version>
         <dep.snakeyaml.version>2.0</dep.snakeyaml.version>
 
         <!--
@@ -209,10 +210,12 @@
         <dependencies>
             <dependency>
                 <groupId>io.netty</groupId>
-                <artifactId>netty-handler</artifactId>
-                <version>4.1.107.Final</version>
+                <artifactId>netty-bom</artifactId>
+                <version>${dep.netty.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
             </dependency>
-            
+
             <dependency>
                 <groupId>com.facebook.presto</groupId>
                 <artifactId>presto-testing-docker</artifactId>
@@ -2339,6 +2342,8 @@
                         <ignoredClassPatterns combine.children="append">
                             <!-- Duplicate class is being brought in by commons-io & log4j-api -->
                             <ignoredClassPattern>META-INF.versions.9.module-info</ignoredClassPattern>
+                            <!-- Duplicate class is being brought in by several netty dependencies-->
+                            <ignoredClassPattern>META-INF.versions.11.module-info</ignoredClassPattern>
                         </ignoredClassPatterns>
                     </configuration>
                 </plugin>
diff --git a/redis-hbo-provider/pom.xml b/redis-hbo-provider/pom.xml
index 14d660b339f85..fd8d35a940604 100644
--- a/redis-hbo-provider/pom.xml
+++ b/redis-hbo-provider/pom.xml
@@ -11,7 +11,6 @@
     <properties>
         <air.main.basedir>${project.parent.basedir}</air.main.basedir>
         <lettuce.version>6.2.4.RELEASE</lettuce.version>
-        <netty.version>4.1.115.Final</netty.version>
     </properties>
 
     <artifactId>redis-hbo-provider</artifactId>
@@ -22,19 +21,16 @@
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-common</artifactId>
-            <version>${netty.version}</version>
         </dependency>
 
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-handler</artifactId>
-            <version>${netty.version}</version>
         </dependency>
 
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-transport</artifactId>
-            <version>${netty.version}</version>
         </dependency>
 
         <dependency>