From 07a232d7b4cad698545bad7e23d58767a288149b Mon Sep 17 00:00:00 2001
From: Jihoon Son <jihoonson@apache.org>
Date: Tue, 26 Oct 2021 00:09:15 -0400
Subject: [PATCH] Bump netty4 to 4.1.68; suppress CVE-2021-37136 and
 CVE-2021-37137 for netty3 (#11844)

* bump netty4 to 4.1.68

* suppress CVE-2021-37136 and CVE-2021-37137 for netty3

* license
---
 licenses.yaml                           |  2 +-
 owasp-dependency-check-suppressions.xml | 24 ++++++++++++++----------
 pom.xml                                 |  2 +-
 3 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/licenses.yaml b/licenses.yaml
index bc7677872a8..8312ebcd814 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -1228,7 +1228,7 @@ name: Netty
 license_category: binary
 module: java-core
 license_name: Apache License version 2.0
-version: 4.1.63.Final
+version: 4.1.68.Final
 libraries:
   - io.netty: netty-buffer
   - io.netty: netty-codec
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 8a36f7a3b7d..b7da4e5a167 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -162,6 +162,8 @@
     <cve>CVE-2019-16869</cve>
     <cve>CVE-2019-20444</cve>
     <cve>CVE-2019-20445</cve>
+    <cve>CVE-2021-37136</cve>
+    <cve>CVE-2021-37137</cve>
   </suppress>
   <suppress>
     <!-- TODO: Fix by upgrading hadoop-auth version -->
@@ -286,16 +288,18 @@
     <cve>CVE-2019-17571</cve>
   </suppress>
   <suppress>
-     <!--
-       - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
-       -->
-     <notes><![CDATA[
-     file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: io.netty:netty:3.10.5.Final)
-     ]]></notes>
-     <packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.5.Final$</packageUrl>
-     <cve>CVE-2019-16869</cve>
-     <cve>CVE-2019-20444</cve>
-     <cve>CVE-2019-20445</cve>
+    <!--
+      - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
+      -->
+    <notes><![CDATA[
+    file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: io.netty:netty:3.10.5.Final)
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.5.Final$</packageUrl>
+    <cve>CVE-2019-16869</cve>
+    <cve>CVE-2019-20444</cve>
+    <cve>CVE-2019-20445</cve>
+    <cve>CVE-2021-37136</cve>
+    <cve>CVE-2021-37137</cve>
   </suppress>
   <suppress>
        <!--
diff --git a/pom.xml b/pom.xml
index 5dfe8b399d1..ee60c3bbf3a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -100,7 +100,7 @@
         <mysql.version>5.1.48</mysql.version>
         <mariadb.version>2.7.3</mariadb.version>
         <netty3.version>3.10.6.Final</netty3.version>
-        <netty4.version>4.1.63.Final</netty4.version>
+        <netty4.version>4.1.68.Final</netty4.version>
         <postgresql.version>42.2.14</postgresql.version>
         <protobuf.version>3.11.0</protobuf.version>
         <resilience4j.version>1.3.1</resilience4j.version>