From 913245de48851e1df502eb362006d87d651f4cd7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Siebahn?= <joerg.siebahn@sda-se.com>
Date: Thu, 20 Feb 2025 09:42:30 +0100
Subject: [PATCH] security(deps): force netty bump to 4.1.118 to mitigate
 CVE-2025-24970

---
 build.gradle | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/build.gradle b/build.gradle
index 62aa1220..f4cf1172 100644
--- a/build.gradle
+++ b/build.gradle
@@ -69,7 +69,10 @@ dependencies {
     exclude group: "org.slf4j"
     // recheck when operator-framework is upgraded
     exclude group: 'com.squareup.okio', module: 'okio'
+    // vulnerability in 4.1.117.Final, may be removed when netty is updated in operator framework
+    exclude group: 'io.netty', module: 'netty-common'
   }
+  implementation 'io.netty:netty-common:4.1.118.Final'
   annotationProcessor "io.javaoperatorsdk:operator-framework:${operatorFrameworkVersion}", {
     // self managed to avoid conflicts
     exclude group: "org.slf4j"
@@ -140,6 +143,8 @@ dependencies {
     exclude group: "org.slf4j"
     exclude group: 'com.squareup.okio', module: 'okio'
     exclude group: 'junit', module: 'junit'
+    // vulnerability in 4.1.117.Final
+    exclude group: 'io.netty', module: 'netty-common'
   }
   // CVE-2020-15250 in 4.12
   // -> pulled transitively from OkHttp3 mockwebserver used by kubernetes-server-mock