fix: batch simple dependency bumps#103
Closed
evervault-dependencies wants to merge 1 commit into
Closed
Conversation
- Bump io.netty:netty-codec-http to 4.1.132.Final (CVE-2026-33870) - Add force for io.netty:netty-codec-http2:4.1.132.Final (CVE-2026-33871) - Add force for org.bouncycastle:bcpg-jdk18on:1.84 (CVE-2026-3505) Refs: COM-209
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Member
|
duplicate, deps already resolved excl |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Linear issue: COM-209
Batch of 3 simple dependency bumps to remediate HIGH severity Dependabot alerts.
Earliest SLA deadline: 2026-05-29T09:36:16.788Z
1. CVE-2026-33870 —
io.netty:netty-codec-http< 4.1.132.Final4.1.132.Finalio.netty:netty-codec-httpversions < 4.1.132.Final terminate HTTP/1.1 chunk-header parsing on a\r\nthat appears inside a quoted chunk-extension value (e.g.1;a="\r\n…) instead of rejecting the request as malformed per RFC 9110 §5.6.4 / §7.1.1. RFC-compliant frontends reject the request with400 Bad Request, while Netty accepts it, producing a parsing differential that enables HTTP request smuggling, cache poisoning, ACL bypass, and session hijacking against any Netty-based HTTP/1.1 server.Exposure: This Android SDK does not host an HTTP/1.1 server and does not ship Netty in any published artifact.
netty-codec-httponly appears in Gradle's Unified Test Platform (UTP) internal configurations used to drive instrumented emulator tests over loopback gRPC. The bump is applied to keep the security baseline clean.2. CVE-2026-33871 —
io.netty:netty-codec-http2< 4.1.132.Final4.1.132.Finalio.netty:netty-codec-http2< 4.1.132.Final fails to enforce a maximum number of HTTP/2CONTINUATIONframes inDefaultHttp2FrameReader. An attacker can flood an HTTP/2 server with zero-byteCONTINUATIONframes; the existingmaxHeaderListSizebyte-budget check never trips, allowing a single TCP connection to monopolise a CPU thread (low-bandwidth CPU DoS).Exposure: Same UTP-only situation as CVE-2026-33870 — no runtime exposure in the published AAR. Bump applied via
resolutionStrategy.force(...).3. CVE-2026-3505 —
org.bouncycastle:bcpg-jdk18on< 1.841.84org.bouncycastle:bcpg-jdk18on< 1.84 contains a pre-auth resource exhaustion vulnerability. The dependency only appears in the Kotlin compiler'skotlinBouncyCastleConfiguration, not in product code (the SDK usesbcprov-jdk15to18at runtime). Bump applied viaresolutionStrategy.force(...).Changes
build.gradle.kts: bumpednetty-codec-httpfrom4.1.129.Final→4.1.132.Final; addedforce()directives fornetty-codec-http2:4.1.132.Finalandbcpg-jdk18on:1.84.evervault-core/gradle.lockfile,evervault-cages/gradle.lockfile,evervault-enclaves/gradle.lockfile,evervault-inputs/gradle.lockfile,sampleapplication/gradle.lockfile: updated to reflect the new resolved versions. The two previously splitnetty-codec-http2entries (4.1.93.Finaland4.1.110.Final) collapse to a single4.1.132.Finalentry across all UTP configurations.No application source code changes are required.