opensearch-project · reta · Nov 14, 2025 · coderabbitai · Dec 3, 2025 · coderabbitai
@@ -35,6 +35,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Support pull-based ingestion message mappers and raw payload support ([#19765](https://github.com/opensearch-project/OpenSearch/pull/19765))
 - Add search API tracker ([#18601](https://github.com/opensearch-project/OpenSearch/pull/18601))
 - Support dynamic consumer configuration update in pull-based ingestion ([#19963](https://github.com/opensearch-project/OpenSearch/pull/19963))
+- Support pull-based ingestion message mappers and raw payload support ([#19765](https://github.com/opensearch-project/OpenSearch/pull/19765)]
+- Support for HTTP/3 (server side) ([#20017](https://github.com/opensearch-project/OpenSearch/pull/20017))
 
 ### Changed
 - Combining filter rewrite and skip list to optimize sub aggregation([#19573](https://github.com/opensearch-project/OpenSearch/pull/19573))

@@ -149,6 +149,8 @@ netty-codec-dns = { group = "io.netty", name = "netty-codec-dns", version.ref =
 netty-codec-http = { group = "io.netty", name = "netty-codec-http", version.ref = "netty" }
 netty-codec-http2 = { group = "io.netty", name = "netty-codec-http2", version.ref = "netty" }
 netty-codec-http3 = { group = "io.netty", name = "netty-codec-http3", version.ref = "netty" }
+netty-codec-native-quic = { group = "io.netty", name = "netty-codec-native-quic", version.ref = "netty" }
+netty-codec-classes-quic = { group = "io.netty", name = "netty-codec-classes-quic", version.ref = "netty" }
 netty-common = { group = "io.netty", name = "netty-common", version.ref = "netty" }
 netty-handler = { group = "io.netty", name = "netty-handler", version.ref = "netty" }
 netty-resolver-dns = { group = "io.netty", name = "netty-resolver-dns", version.ref = "netty" }

@@ -63,14 +63,25 @@ dependencies {
   api "io.netty:netty-codec:${versions.netty}"
   api "io.netty:netty-codec-http:${versions.netty}"
   api "io.netty:netty-codec-http2:${versions.netty}"
+  api "io.netty:netty-codec-http3:${versions.netty}"
+  api "io.netty:netty-codec-classes-quic:${versions.netty}"
+  api "io.netty:netty-codec-native-quic:${versions.netty}"
   api "io.netty:netty-common:${versions.netty}"
   api "io.netty:netty-handler:${versions.netty}"
   api "io.netty:netty-resolver:${versions.netty}"
   api "io.netty:netty-transport:${versions.netty}"
   api "io.netty:netty-transport-native-unix-common:${versions.netty}"
+
   testFipsRuntimeOnly "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
   testFipsRuntimeOnly "org.bouncycastle:bctls-fips:${versions.bouncycastle_tls}"
   testFipsRuntimeOnly "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
+
+  // Bundle all supported OSes and Archs
+  runtimeOnly "io.netty:netty-codec-native-quic:${versions.netty}:linux-x86_64"
+  runtimeOnly "io.netty:netty-codec-native-quic:${versions.netty}:linux-aarch_64"
+  runtimeOnly "io.netty:netty-codec-native-quic:${versions.netty}:osx-x86_64"
+  runtimeOnly "io.netty:netty-codec-native-quic:${versions.netty}:osx-aarch_64"
+  runtimeOnly "io.netty:netty-codec-native-quic:${versions.netty}:windows-x86_64"
 }
 
 restResources {
@@ -205,7 +216,9 @@ thirdPartyAudit {
 
     'io.netty.pkitesting.CertificateBuilder',
     'io.netty.pkitesting.CertificateBuilder$Algorithm',
-    'io.netty.pkitesting.X509Bundle'
+    'io.netty.pkitesting.X509Bundle',
+
+    'io.netty.channel.epoll.SegmentedDatagramPacket'
   )
 
   ignoreViolations(

@@ -0,0 +1 @@
+98e80e8a575aa5cacd0db278a91fc4b34e4721fe
@@ -0,0 +1 @@
+c9b6155713d6017a21e71dea3e041c4143facf5c
@@ -0,0 +1 @@
+7ecd8d1de6b3eb7eeb3dcdb1034780826e141f1c
@@ -0,0 +1 @@
+6a3e4398852f926c4b22f381d89dae2388446ae8
@@ -0,0 +1 @@
+c30d746bd588c07bac4ac04abde576c05a3c0a28
@@ -0,0 +1 @@
+f3679a6cc103292931098b1dc835ffb831e27368
@@ -0,0 +1 @@
+c4f177d2a99668c209acc31b8b85df58e9166218
@@ -0,0 +1 @@
+d6a7141d5fab45c8d2f6c646965f2dd53a43b41e
@@ -219,6 +219,8 @@ public HttpVersion protocolVersion() {
             return HttpRequest.HttpVersion.HTTP_1_1;
         } else if (request.protocolVersion().equals("HTTP/2.0")) {
             return HttpRequest.HttpVersion.HTTP_2_0;
+        } else if (request.protocolVersion().equals("HTTP/3.0")) {
+            return HttpRequest.HttpVersion.HTTP_3_0;
         } else {
             throw new IllegalArgumentException("Unexpected http protocol version: " + request.protocolVersion());
         }

@@ -33,6 +33,7 @@
 package org.opensearch.http.netty4;
 
 import org.opensearch.ExceptionsHelper;
+import org.opensearch.http.AbstractHttpServerTransport;
 import org.opensearch.http.HttpPipelinedRequest;
 
 import io.netty.channel.ChannelHandler;
@@ -42,9 +43,9 @@
 @ChannelHandler.Sharable
 class Netty4HttpRequestHandler extends SimpleChannelInboundHandler<HttpPipelinedRequest> {
 
-    private final Netty4HttpServerTransport serverTransport;
+    private final AbstractHttpServerTransport serverTransport;
 
-    Netty4HttpRequestHandler(Netty4HttpServerTransport serverTransport) {
+    Netty4HttpRequestHandler(AbstractHttpServerTransport serverTransport) {
         this.serverTransport = serverTransport;
     }
 

@@ -197,7 +197,7 @@ public class Netty4HttpServerTransport extends AbstractHttpServerTransport {
 
     /**
      * Creates new HTTP transport implementations based on Netty 4
-     * @param settings seetings
+     * @param settings settings
      * @param networkService network service
      * @param bigArrays big array allocator
      * @param threadPool thread pool instance
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		6a3e4398852f926c4b22f381d89dae2388446ae8
Copy link coderabbitai bot Dec 2, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. ⚠️ Potential issue \| 🟠 Major 🧩 Analysis chain 🏁 Script executed: #!/bin/bash # Fetch the actual SHA-1 from Maven Central for the specified artifact echo "Fetching SHA-1 from Maven Central..." curl -s "https://repo1.maven.org/maven2/io/netty/incubator/netty-incubator-codec-native-quic/4.2.7.Final/netty-incubator-codec-native-quic-4.2.7.Final-linux-x86_64.jar.sha1" echo "" # Try to find latest versions available echo "Checking available versions..." curl -s "https://search.maven.org/solrsearch/select?q=g:io.netty.incubator+AND+a:netty-incubator-codec-native-quic&core=gav&rows=50&wt=json" \| jq -r '.response.docs[] \| .v' \| sort -V \| tail -10 Repository: opensearch-project/OpenSearch Length of output: 202 🌐 Web query: `netty-incubator-codec-native-quic 4.2.7.Final security vulnerabilities CVE` 💡 Result: Short answer: There is no CVE that specifically names the artifact netty-incubator-codec-native-quic 4.2.7.Final. However, Netty 4.2.7.Final (the 4.2.x release line) includes security fixes — notably it addresses CVE-2025-59419 (SMTP command‑injection) and earlier 4.2.x releases fixed CVE-2025-58056 and CVE-2025-55163. If you rely on any Netty 4.2.x modules (including the incubator/native-quic artifact), use 4.2.7.Final or later to get those fixes. [1][2][3] Sources Netty 4.2.7.Final release notes (lists CVE-2025-59419). [1] Ubuntu / CVE entry for CVE-2025-59419 (describes affected 4.2.7.Final threshold). [2] GitHub advisory and NVD entries for related 4.2.x CVEs (CVE-2025-58056, CVE-2025-55163). [3] 🌐 Web query: `netty-incubator-codec-native-quic latest version 2025` 💡 Result: The latest released version is 0.0.74.Final (released Aug 18, 2025). [1][2] Sources: Netty release announcement. [1] Maven Central listing for the artifact. [2] Update netty-incubator-codec-native-quic to the latest version 0.0.74.Final. Version 4.2.7.Final is significantly outdated; the latest released version is 0.0.74.Final (August 2025). While 4.2.7.Final includes security fixes for CVE-2025-59419 and earlier vulnerabilities (CVE-2025-58056, CVE-2025-55163), it should be upgraded to 0.0.74.Final to obtain the most recent security patches and improvements.