Upgrade Netty 4.1.126.Final to 4.1.132.Final to fix CVE-2025-67735 vulnerability

[lfurman]

Motivation

netty.version 4.1.126.Final is affected by two HIGH-severity vulnerability CVE-2025-67735:

Both are fixed in 4.1.132.Final.

Changes

Dependency	From	To
netty.version	4.1.126.Final	4.1.132.Final
lettuce.core.version	6.7.1.RELEASE	6.8.2.RELEASE
reactor-bom	2024.0.10	2024.0.17
s3-sdk.version (blob-s3)	2.33.5	2.42.34

lettuce-core (the Redis client) uses Netty internally, so it is bumped
alongside Netty to keep both on a consistent Netty runtime.
reactor-bom and s3-sdk are bumped to their latest stable releases as
part of the same dependency maintenance pass.

Testing

1. Build the distributed-app module:

 mvn clean package -DskipTests -pl server/apps/distributed-app -am 

2. Check the version of the netty libraries in the output directory:

ls server/apps/distributed-app/target/james-server-distributed-app.lib | grep netty | sort

Output:

james-server-guice-netty-3.10.0-SNAPSHOT.jar
netty-buffer-4.1.132.Final.jar
netty-codec-4.1.132.Final.jar
netty-codec-dns-4.1.132.Final.jar
netty-codec-haproxy-4.1.132.Final.jar
netty-codec-http-4.1.132.Final.jar
netty-codec-http2-4.1.132.Final.jar
netty-codec-socks-4.1.132.Final.jar
netty-common-4.1.132.Final.jar
netty-handler-4.1.132.Final.jar
netty-handler-proxy-4.1.132.Final.jar
netty-nio-client-2.42.34.jar
netty-resolver-4.1.132.Final.jar
netty-resolver-dns-4.1.132.Final.jar
netty-resolver-dns-classes-macos-4.1.132.Final.jar
netty-resolver-dns-native-macos-4.1.132.Final-osx-x86_64.jar
netty-transport-4.1.132.Final.jar
netty-transport-classes-epoll-4.1.132.Final.jar
netty-transport-native-epoll-4.1.132.Final-linux-x86_64.jar
netty-transport-native-epoll-4.1.132.Final.jar
netty-transport-native-unix-common-4.1.132.Final.jar
protocols-netty-3.10.0-SNAPSHOT.jar
reactor-netty-1.2.17.jar
reactor-netty-core-1.2.17.jar
reactor-netty-http-1.2.17.jar

[chibenwa]

Looks nice 👍
Can you please triple check the history, it fo not look like the proposed changeset matches the description of the pr...

[lfurman]

@chibenwa - Thank you for the review!

The mismatch was caused by my branch previously including extra commits from my fork's master on top of upstream.

I have since rebased onto upstream/master so the PR now correctly shows 1 commit with exactly the 4 version bumps described. I also corrected the CVE references in the title and commit message.

[Arsnael]

Looks good to me as well. Thank you for this @lfurman !