GHSA-3p8m-j85q-pgmj cve fixes for akhq, celeborn and kserve

[jamie-albert]

Summary

Updates multiple packages to address Netty CVE-2025-58056 and CVE-2025-58057 by upgrading netty components to fixed versions.

Package Changes

akhq

• Epoch: 1 → 2
• Changes:
  • Updated micronaut from 4.3.8 to 4.9.3
  • Updated netty version to 4.1.125.Final in gradle.properties
  • Updated patch comment to include GHSA-3p8m-j85q-pgmj
  • Removed build.gradle modifications from patch (simplified approach)

celeborn-0.5

• Changes:
  • Removed auth/maven step as this causes dependencies to not be discoverable and breaks build
  • Updated netty.version from 4.1.118.Final to 4.1.125.Final in pombump-properties.yaml

kserve-modelmesh

• Epoch: 15 → 16 (added GHSA-3p8m-j85q-pgmj to epoch comment)
• Changes:
  • Added new patch netty-dep-additions.patch to explicitly declare netty dependencies
  • Added new pombump-properties.yaml with netty-version property
  • Updated netty-codec-http2 from 4.1.124.Final to 4.1.127.Final
  • Added netty-codec dependency at 4.1.127.Final
  • Added second maven/pombump step with properties-file configuration
  • Remove windows boringssl DLLS/Jars

CVEs Addressed

• CVE-2025-58056 / GHSA-fghv-69vj-qj49: netty-codec-http vulnerability, fixed in 4.2.5.Final
• CVE-2025-58057 / GHSA-3p8m-j85q-pgmj: netty-codec vulnerability, fixed in 4.1.125.Final

Verification

After these changes:

1. Netty components should be updated to non-vulnerable versions
2. All packages should build successfully with updated dependencies
3. CVE scans should show the vulnerabilities as resolved

Notes

• kserve-modelmesh now uses a hybrid approach with both explicit dependencies and pombump property management

[jamie-albert]

remaining cves are transitive deps and will need advisories

[dnegreira]

Advisories for the remaining CVEs: wolfi-dev/advisories#23399