Merge pull request #37 from IABTechLab/syw-UID2-6916-fix-netty-cve-2026-33870

mcollins-ttd · web-flow · commit 4c8d95e571f0 · 2026-04-15T10:31:38.000+10:00
UID2-6916: Fix CVE-2026-33870 and CVE-2026-33871 - Force netty to 4.1.132.Final
diff --git a/pom.xml b/pom.xml
@@ -40,6 +40,29 @@
         <java.version>21</java.version>
     </properties>
 
+    <dependencyManagement>
+        <dependencies>
+            <!-- Force netty to 4.1.132.Final to fix CVE-2026-33870 and CVE-2026-33871 (UID2-6916) -->
+            <dependency>
+                <groupId>io.netty</groupId>
+                <artifactId>netty-codec-http</artifactId>
+                <version>4.1.132.Final</version>
+            </dependency>
+            <dependency>
+                <groupId>io.netty</groupId>
+                <artifactId>netty-codec-http2</artifactId>
+                <version>4.1.132.Final</version>
+            </dependency>
+            <dependency>
+                <groupId>io.netty</groupId>
+                <artifactId>netty-bom</artifactId>
+                <version>4.1.132.Final</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
     <dependencies>
         <dependency>
             <groupId>com.uid2</groupId>
