apacheGH-36209: [Java] Upgrade Netty due to security vulnerability (a…

…pache#36211) (#27) * apacheGH-36209: [Java] Upgrade Netty due to security vulnerability (apache#36211) Upgrading Netty dependency due to CVE GHSA-6mjq-h674-j845 This also requires a patch to arrow-memory Upgrading Netty, gRPC and Protobuf dependencies Existing tests No **This PR contains a "Critical Fix".** netty-handler SniHandler 16MB allocation The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap. GHSA-6mjq-h674-j845 * Closes: apache#36209 Authored-by: Bryan Cutler <cutlerb@gmail.com> Signed-off-by: David Li <li.davidm96@gmail.com> * Restore jackson version. --------- Signed-off-by: David Li <li.davidm96@gmail.com> Co-authored-by: Bryan Cutler <cutlerb@gmail.com>
dremio · Jul 21, 2023 · 81d69b0 · 81d69b0
1 parent e922a6b
commit 81d69b0
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/java/pom.xml b/java/pom.xml
@@ -36,7 +36,7 @@
     <dep.netty-bom.version>4.1.93.Final</dep.netty-bom.version>
     <dep.grpc-bom.version>1.56.0</dep.grpc-bom.version>
     <dep.protobuf-bom.version>3.23.1</dep.protobuf-bom.version>
-    <dep.jackson-bom.version>2.15.1</dep.jackson-bom.version>
+    <dep.jackson-bom.version>2.13.4</dep.jackson-bom.version>
     <dep.hadoop.version>2.7.1</dep.hadoop.version>
     <dep.fbs.version>1.12.0</dep.fbs.version>
     <dep.avro.version>1.10.0</dep.avro.version>