From ddedf3a4ca7d6d22e17f70802acf9f4f1733a97a Mon Sep 17 00:00:00 2001
From: yud8 <yud8@chinatelecom.cn>
Date: Thu, 5 Feb 2026 15:30:09 +0800
Subject: [PATCH] [Improvement-17952][Dependency][Security] Upgrade Netty to
 fix HTTP/2 DoS (CVE-2023-44487)

---
 dolphinscheduler-bom/pom.xml               |  2 +-
 dolphinscheduler-dist/release-docs/LICENSE |  6 +--
 tools/dependencies/known-dependencies.txt  | 52 +++++++++++-----------
 3 files changed, 30 insertions(+), 30 deletions(-)

diff --git a/dolphinscheduler-bom/pom.xml b/dolphinscheduler-bom/pom.xml
index 3c863e120a4a..91783d3fff22 100644
--- a/dolphinscheduler-bom/pom.xml
+++ b/dolphinscheduler-bom/pom.xml
@@ -28,7 +28,7 @@
     <name>${project.artifactId}</name>
 
     <properties>
-        <netty.version>4.1.53.Final</netty.version>
+        <netty.version>4.1.100.Final</netty.version>
         <spring-boot.version>2.7.11</spring-boot.version>
         <spring-ldap.version>2.4.1</spring-ldap.version>
         <mybatis-plus.version>3.5.2</mybatis-plus.version>
diff --git a/dolphinscheduler-dist/release-docs/LICENSE b/dolphinscheduler-dist/release-docs/LICENSE
index 575c7b9d03e7..7ecacd44b02e 100644
--- a/dolphinscheduler-dist/release-docs/LICENSE
+++ b/dolphinscheduler-dist/release-docs/LICENSE
@@ -321,7 +321,7 @@ The text of each license is also included at licenses/LICENSE-[project].txt.
     mybatis-plus-extension 3.5.2: https://mvnrepository.com/artifact/com.baomidou/mybatis-plus-extension/3.5.2, Apache 2.0
     mybatis-spring 2.0.7: https://mvnrepository.com/artifact/org.mybatis/mybatis-spring/2.0.7, Apache 2.0
     netty 3.10.6.Final: https://github.com/netty/netty, Apache 2.0
-    netty 4.1.53.Final: https://github.com/netty/netty/blob/netty-4.1.53.Final/LICENSE.txt, Apache 2.0
+    netty 4.1.100.Final: https://github.com/netty/netty/blob/netty-4.1.100.Final/LICENSE.txt, Apache 2.0
     nimbus-jose-jwt 9.8.1: https://mvnrepository.com/artifact/com.nimbusds/nimbus-jose-jwt/9.8.1, Apache 2.0
     okhttp 4.12.0: https://mvnrepository.com/artifact/com.squareup.okhttp/okhttp/4.12.0, Apache 2.0
     quartz 2.3.2: https://mvnrepository.com/artifact/org.quartz-scheduler/quartz/2.3.2, Apache 2.0
@@ -458,7 +458,7 @@ The text of each license is also included at licenses/LICENSE-[project].txt.
     netty-codec-http 4.1.53.Final: https://mvnrepository.com/artifact/io.netty/netty-codec-http/4.1.53.Final, Apache 2.0
     netty-codec-http2 4.1.53.Final: https://mvnrepository.com/artifact/io.netty/netty-codec-http2/4.1.53.Final, Apache 2.0
     netty-nio-client 2.17.282: https://mvnrepository.com/artifact/software.amazon.awssdk/netty-nio-client/2.17.282, Apache 2.0
-    netty-transport-classes-epoll 4.1.91.Final: https://mvnrepository.com/artifact/io.netty/netty-transport-classes-epoll/4.1.91.Final, Apache 2.0
+    netty-transport-classes-epoll 4.1.100.Final: https://mvnrepository.com/artifact/io.netty/netty-transport-classes-epoll/4.1.100.Final, Apache 2.0
     profiles 2.17.282: https://mvnrepository.com/artifact/software.amazon.awssdk/profiles/2.17.282, Apache 2.0
     protocol-core 2.17.282: https://mvnrepository.com/artifact/software.amazon.awssdk/protocol-core/2.17.282, Apache 2.0
     regions 2.17.282: https://mvnrepository.com/artifact/software.amazon.awssdk/regions/2.17.282, Apache 2.0
@@ -473,7 +473,7 @@ The text of each license is also included at licenses/LICENSE-[project].txt.
     netty-handler-proxy 4.1.53.Final: https://mvnrepository.com/artifact/io.netty/netty-handler-proxy/4.1.53.Final, Apache 2.0
     netty-resolver-dns 4.1.53.Final: https://mvnrepository.com/artifact/io.netty/netty-resolver-dns/4.1.53.Final, Apache 2.0
     netty-resolver-dns-native-macos 4.1.53.Final: https://mvnrepository.com/artifact/io.netty/netty-resolver-dns-native-macos/4.1.53.Final, Apache 2.0
-    netty-tcnative-boringssl-static 2.0.59.Final: https://mvnrepository.com/artifact/io.netty/netty-tcnative-boringssl-static/2.0.59.Final, Apache 2.0
+    netty-tcnative-boringssl-static 2.0.61.Final: https://mvnrepository.com/artifact/io.netty/netty-tcnative-boringssl-static/2.0.61.Final, Apache 2.0
     netty-transport-native-epoll 4.1.53.Final: https://mvnrepository.com/artifact/io.netty/netty-transport-native-epoll/4.1.53.Final, Apache 2.0
     netty-transport-native-kqueue 4.1.53.Final: https://mvnrepository.com/artifact/io.netty/netty-transport-native-kqueue/4.1.53.Final, Apache 2.0
     oauth2-oidc-sdk 9.35: https://mvnrepository.com/artifact/com.nimbusds/oauth2-oidc-sdk/9.35, Apache 2.0
diff --git a/tools/dependencies/known-dependencies.txt b/tools/dependencies/known-dependencies.txt
index c03b02792274..50a521416733 100644
--- a/tools/dependencies/known-dependencies.txt
+++ b/tools/dependencies/known-dependencies.txt
@@ -191,21 +191,21 @@ mybatis-plus-boot-starter-3.5.2.jar
 mybatis-plus-core-3.5.2.jar
 mybatis-plus-extension-3.5.2.jar
 mybatis-spring-2.0.7.jar
-netty-all-4.1.53.Final.jar
-netty-buffer-4.1.53.Final.jar
-netty-codec-4.1.53.Final.jar
-netty-codec-http-4.1.53.Final.jar
-netty-codec-http2-4.1.53.Final.jar
-netty-common-4.1.53.Final.jar
-netty-handler-4.1.53.Final.jar
+netty-all-4.1.100.Final.jar
+netty-buffer-4.1.100.Final.jar
+netty-codec-4.1.100.Final.jar
+netty-codec-http-4.1.100.Final.jar
+netty-codec-http2-4.1.100.Final.jar
+netty-common-4.1.100.Final.jar
+netty-handler-4.1.100.Final.jar
 netty-nio-client-2.17.282.jar
-netty-resolver-4.1.53.Final.jar
+netty-resolver-4.1.100.Final.jar
 netty-tcnative-2.0.48.Final.jar
-netty-tcnative-classes-2.0.59.Final.jar
-netty-transport-4.1.53.Final.jar
-netty-transport-classes-epoll-4.1.91.Final.jar
-netty-transport-native-epoll-4.1.53.Final.jar
-netty-transport-native-unix-common-4.1.53.Final.jar
+netty-tcnative-classes-2.0.61.Final.jar
+netty-transport-4.1.100.Final.jar
+netty-transport-classes-epoll-4.1.100.Final.jar
+netty-transport-native-epoll-4.1.100.Final.jar
+netty-transport-native-unix-common-4.1.100.Final.jar
 nimbus-jose-jwt-9.8.1.jar
 nimbus-jose-jwt-9.10.jar
 okhttp-2.7.5.jar
@@ -326,19 +326,19 @@ jackson-dataformat-xml-2.13.5.jar
 lang-tag-1.6.jar
 msal4j-1.13.3.jar
 msal4j-persistence-extension-1.1.0.jar
-netty-codec-dns-4.1.53.Final.jar
-netty-codec-socks-4.1.53.Final.jar
-netty-handler-proxy-4.1.53.Final.jar
-netty-resolver-dns-4.1.53.Final.jar
-netty-resolver-dns-native-macos-4.1.53.Final-osx-x86_64.jar
-netty-tcnative-boringssl-static-2.0.59.Final-linux-aarch_64.jar
-netty-tcnative-boringssl-static-2.0.59.Final-linux-x86_64.jar
-netty-tcnative-boringssl-static-2.0.59.Final-osx-aarch_64.jar
-netty-tcnative-boringssl-static-2.0.59.Final-osx-x86_64.jar
-netty-tcnative-boringssl-static-2.0.59.Final-windows-x86_64.jar
-netty-tcnative-boringssl-static-2.0.59.Final.jar
-netty-transport-native-epoll-4.1.53.Final-linux-x86_64.jar
-netty-transport-native-kqueue-4.1.53.Final-osx-x86_64.jar
+netty-codec-dns-4.1.100.Final.jar
+netty-codec-socks-4.1.100.Final.jar
+netty-handler-proxy-4.1.100.Final.jar
+netty-resolver-dns-4.1.100.Final.jar
+netty-resolver-dns-native-macos-4.1.100.Final-osx-x86_64.jar
+netty-tcnative-boringssl-static-2.0.61.Final-linux-aarch_64.jar
+netty-tcnative-boringssl-static-2.0.61.Final-linux-x86_64.jar
+netty-tcnative-boringssl-static-2.0.61.Final-osx-aarch_64.jar
+netty-tcnative-boringssl-static-2.0.61.Final-osx-x86_64.jar
+netty-tcnative-boringssl-static-2.0.61.Final-windows-x86_64.jar
+netty-tcnative-boringssl-static-2.0.61.Final.jar
+netty-transport-native-epoll-4.1.100.Final-linux-x86_64.jar
+netty-transport-native-kqueue-4.1.100.Final-osx-x86_64.jar
 oauth2-oidc-sdk-9.35.jar
 reactor-core-3.4.29.jar
 reactor-netty-core-1.0.31.jar