Bump Netty to 4.1.134.Final to fix MQTT decoder regression

Netty 4.1.133.Final introduced a regression in MqttDecoder while fixing CVE-2026-44248: when multiple MQTT packets are present in the same cumulation buffer, the per-message size check used the total buffer size instead of the current packet's declared remaining length. Valid in-limit packets get rejected with TooLongFrameException("message length exceeds 65536: <small number>"). Fixed upstream by netty/netty#16787 and ported to 4.1 as netty/netty@30f8f284db, released in 4.1.134.Final.
3 days ago · 3eab08db8b
1 changed files with 1 additions and 1 deletions
--- a/pom.xml
+++ b/pom.xml
@ -69,7 +69,7 @@
        <spring-boot-test.version>3.5.13</spring-boot-test.version>
        <commons-lang3.version>3.18.0</commons-lang3.version> <!-- to fix CVE-2025-48924. TODO: remove when fixed in spring-boot-dependencies -->
        <postgresql.version>42.7.11</postgresql.version> <!-- to fix CVE-2026-42198. TODO: remove when fixed in spring-boot-dependencies -->
-        <netty.version>4.1.133.Final</netty.version> <!-- to fix CVE-2026-42579, CVE-2026-42583, CVE-2026-42584, CVE-2026-42587. TODO: remove when fixed in spring-boot-dependencies -->
+        <netty.version>4.1.134.Final</netty.version> <!-- to fix CVE-2026-42579, CVE-2026-42583, CVE-2026-42584, CVE-2026-42587, and MQTT decoder regression introduced in 4.1.133 by the CVE-2026-44248 fix. TODO: remove when fixed in spring-boot-dependencies -->
        <tomcat.version>10.1.55</tomcat.version> <!-- to fix CVE-2026-41284, CVE-2026-43512. TODO: remove when fixed in spring-boot-dependencies -->
        <javax.xml.bind-api.version>2.4.0-b180830.0359</javax.xml.bind-api.version>
        <jjwt.version>0.12.5</jjwt.version>