MINOR: Upgrade netty to 4.125 for CVE-2025-58057 (#20734)

ShichengRao · web-flow · commit e118c0872125 · 2025-10-21T10:51:01.000+09:00
https://nvd.nist.gov/vuln/detail/CVE-2025-58057 lists netty versions 4.1.124.Final and below as vulnerable, so bumping netty to 4.1.125.Final Signed-off-by: Shicheng Rao <shichengrao@users.noreply.github.com> Reviewers: Luke Chen <showuon@gmail.com>, Chia-Ping Tsai <chia7712@gmail.com>
diff --git a/LICENSE-binary b/LICENSE-binary
@@ -244,15 +244,15 @@ lz4-java-1.8.0
 maven-artifact-3.9.6
 metrics-core-4.1.12.1
 metrics-core-2.2.0
-netty-buffer-4.1.119.Final
-netty-codec-4.1.119.Final
-netty-common-4.1.119.Final
-netty-handler-4.1.119.Final
-netty-resolver-4.1.119.Final
-netty-transport-4.1.119.Final
-netty-transport-classes-epoll-4.1.119.Final
-netty-transport-native-epoll-4.1.119.Final
-netty-transport-native-unix-common-4.1.119.Final
+netty-buffer-4.1.125.Final
+netty-codec-4.1.125.Final
+netty-common-4.1.125.Final
+netty-handler-4.1.125.Final
+netty-resolver-4.1.125.Final
+netty-transport-4.1.125.Final
+netty-transport-classes-epoll-4.1.125.Final
+netty-transport-native-epoll-4.1.125.Final
+netty-transport-native-unix-common-4.1.125.Final
 opentelemetry-proto-1.0.0-alpha
 plexus-utils-3.5.1
 reflections-0.10.2
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
@@ -143,7 +143,7 @@ versions += [
   lz4: "1.8.0",
   mavenArtifact: "3.9.6",
   metrics: "2.2.0",
-  netty: "4.1.119.Final",
+  netty: "4.1.125.Final",
   opentelemetryProto: "1.0.0-alpha",
   protobuf: "3.25.5", // a dependency of opentelemetryProto
   pcollections: "4.0.1",
