build(deps): bump io.netty:netty-bom from 4.2.14.Final to 4.2.15.Final

[dependabot]

Bumps io.netty:netty-bom from 4.2.14.Final to 4.2.15.Final.

Release notes

Sourced from io.netty:netty-bom's releases.

netty-4.2.15.Final

Security fixes

• CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
• CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2.
• CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-XXXXX: information disclosure and denial of service in io.netty:netty-codec-classes-quic.
• CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
• CVE-2026-XXXXX: request smuggling in io.netty:netty-codec-http.
• CVE-2026-44892: memory exhaustion in io.netty:netty-codec-http3 (high).
• CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
• CVE-2026-44894: traffic amplification in io.netty:netty-codec-classes-quic (high).
• CVE-2026-XXXXX: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
• CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
• CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
• CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
• CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
• CVE-2026-47244: denial of service in io.netty:netty-codec-http2.
• CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-48748: memory exhaustion in io.netty:netty-codec-http3 (high).
• CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

• Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by @​dreamlike-ocean in netty/netty#16836
• HTTP/2: Parse request-target path like Vert.x by @​yawkat in netty/netty#16810
• Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by @​netty-project-bot in netty/netty#16853
• FlowControlHandler: Suppress duplicate channelReadComplete after draining queue (#15053) by @​schiemon in netty/netty#16837
• Pass maxAllocation to Brotli and Zstd decoders by @​fedinskiy in netty/netty#16844
• Fix revapi warnings by @​chrisvest in netty/netty#16885
• Fix SCTP and Redis tests by @​chrisvest in netty/netty#16893
• Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @​skyguard1 in netty/netty#16850
• Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @​netty-project-bot in netty/netty#16890

New Contributors

• @​schiemon made their first contribution in netty/netty#16837
• @​fedinskiy made their first contribution in netty/netty#16844

Full Changelog: netty/netty@netty-4.2.14.Final...netty-4.2.15.Final

Commits

• a41f7b2 [maven-release-plugin] prepare release netty-4.2.15.Final
• 2394530 Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remain...
• 0bd1657 Add maxWindowLog parameter to ZstdDecoder to bound memory allocation (#16850)
• 76291f5 Fix SCTP and Redis tests (#16893)
• e067b6e Fix revapi warnings (#16885)
• 5a52600 Pass maxAllocation to Brotli and Zstd decoders (#16844)
• 541add0 Merge commit from fork
• 270800e Merge commit from fork
• 3d45a1e Merge commit from fork
• 75127ca Merge commit from fork
• Additional commits viewable in compare view

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 1784868.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

parent-pom/pom.xml

Package	Version	License	Issue Type
io.netty:netty-bom	4.2.15	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
maven/io.netty:netty-bom	4.2.15	Unknown	Unknown

Scanned Files

• parent-pom/pom.xml

[github-actions]

📚 Javadoc Generated

The Javadoc documentation has been generated for this PR. Download the javadoc artifact from the workflow run to view the complete API documentation with UML diagrams.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

📚 Javadoc Generated

The Javadoc documentation has been generated for this PR. Download the javadoc artifact from the workflow run to view the complete API documentation with UML diagrams.