chore(deps): bump io.netty:netty-handler from 4.1.96.Final to 4.1.135.Final in /java

[dependabot]

Bumps io.netty:netty-handler from 4.1.96.Final to 4.1.135.Final.

Release notes

Sourced from io.netty:netty-handler's releases.

netty-4.1.135.Final

Security fixes

• CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
• CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-50560: DDoS in io.netty:netty-codec-http2.
• CVE-2026-50011: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
• CVE-2026-50020: request smuggling in io.netty:netty-codec-http.
• CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
• CVE-2026-50010: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
• CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
• CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
• CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
• CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
• CVE-2026-47244: denial of service in io.netty:netty-codec-http2.
• CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

• Auto-port 4.1: MQTT: Allow MQTT 5 CONNECT with password only by @​netty-project-bot in netty/netty#16834
• ChannelInitializer: correct misleading comment on exceptionCaught route by @​daguimu in netty/netty#16847
• HTTP/2: Parse request-target path like Vert.x (4.1 backport) by @​yawkat in netty/netty#16856
• HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted by @​normanmaurer in netty/netty#16861
• IpSubnetFilter: Correctly handle ipv6 by @​normanmaurer in netty/netty#16860
• Configurable bound on RedisArrayAggregator by @​normanmaurer in netty/netty#16858
• Redis: Limit decoded length by @​normanmaurer in netty/netty#16859
• DNS: Ensure query id is not predictible by @​normanmaurer in netty/netty#16870
• Wrapping plain trust manager silently disables hostname verification by @​normanmaurer in netty/netty#16868
• MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @​daguimu in netty/netty#16852
• Fix revapi warnings (#16885) by @​chrisvest in netty/netty#16892
• HAProxy: Reject HAProxyMessages with malformated TLV and not leak memory by @​normanmaurer in netty/netty#16866
• SSL: Use sane defaults as limits for the client hello length and timeout by @​normanmaurer in netty/netty#16871
• DNS: Only cache CNAME if part of the queried domain by @​normanmaurer in netty/netty#16873
• HTTP/2: Enforce max concurrent streams for misbehaving clients by @​normanmaurer in netty/netty#16876
• Dns: Insufficient Bailiwick Validation for NS Records by @​normanmaurer in netty/netty#16877
• HTTP2: DelegatingDecompressorFrameListener must release memory in all cases by @​normanmaurer in netty/netty#16880
• Pass maxAllocation to Brotli and Zstd decoders (#16844) by @​chrisvest in netty/netty#16886
• HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory by @​normanmaurer in netty/netty#16883
• Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @​netty-project-bot in netty/netty#16894
• HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs by @​normanmaurer in netty/netty#16881
• Epoll / Kqueue: Correctly handle receive of FD by @​normanmaurer in netty/netty#16872
• SCTP: Limit the number of inflight incomplete SCTP messages and the number of fragments by @​normanmaurer in netty/netty#16875
• Redis: Correctly release incomplete message on removal when using RedisArrayAggregator by @​normanmaurer in netty/netty#16878
• Redis: Limit the maximum number of nested arrays by @​normanmaurer in netty/netty#16882

Full Changelog: netty/netty@netty-4.1.134.Final...netty-4.1.135.Final

... (truncated)

Commits

• f05f765 [maven-release-plugin] prepare release netty-4.1.135.Final
• 728c98b Redis: Limit the maximum number of nested arrays (#16882)
• ced30ad Redis: Correctly release incomplete message on removal when using RedisArrayA...
• cef5395 SCTP: Limit the number of inflight incomplete SCTP messages and the number of...
• 652663c Epoll / Kqueue: Correctly handle receive of FD (#16872)
• bd6214f HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs (#16881)
• d7f9069 Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allo...
• b831454 HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory (#16883)
• 51260aa Pass maxAllocation to Brotli and Zstd decoders (#16844) (#16886)
• db6138b HTTP2: DelegatingDecompressorFrameListener must release memory in all cases (...
• Additional commits viewable in compare view