GHSA-3p8m-j85q-pgmj cve fixes for akhq, celeborn and kserve

akhq.yaml

@@ -1,7 +1,7 @@
 package:
   name: akhq
   version: 0.26.0
-  epoch: 1
+  epoch: 2
   description: "Kafka GUI for Apache Kafka to manage topics, topics data, consumers group, schema registry, connect and more"
   copyright:
     - license: Apache-2.0
@@ -28,7 +28,7 @@ pipeline:
 
   - uses: patch
     with:
-      # includes patches for GHSA-pr98-23f8-jwxv, GHSA-6v67-2wr5-gvf4, GHSA-4g8c-wm8x-jfhw, GHSA-4g8c-wm8x-jfhw, GHSA-pq2g-wx69-c263, CVE-2025-48734, GHSA-j288-q9x7-2f5v and GHSA-xwmg-2g98-w7v9
+      # includes patches for GHSA-pr98-23f8-jwxv, GHSA-6v67-2wr5-gvf4, GHSA-4g8c-wm8x-jfhw, GHSA-4g8c-wm8x-jfhw, GHSA-pq2g-wx69-c263, CVE-2025-48734, GHSA-j288-q9x7-2f5v, GHSA-xwmg-2g98-w7v9 and GHSA-3p8m-j85q-pgmj
       patches: |
         cves-20250714.patch
 

akhq/cves-20250714.patch

@@ -16,7 +16,7 @@ index 6b2e9464..795fa607 100644
 +        force("com.nimbusds:nimbus-jose-jwt:" + nimbusJoseJwtVersion)
      }
  }
- 
+
 @@ -93,7 +101,7 @@ dependencies {
      implementation("io.micronaut:micronaut-http-server-netty")
      implementation("io.micronaut:micronaut-jackson-databind")
@@ -28,25 +28,27 @@ index 6b2e9464..795fa607 100644
      implementation("io.micronaut.security:micronaut-security-jwt")
 @@ -174,6 +182,8 @@ dependencies {
      implementation group: 'io.projectreactor', name: 'reactor-core', version: '3.7.6'
- 
+
      implementation 'io.jsonwebtoken:jjwt-impl:0.12.6'
 +
-+    implementation 'io.netty:netty-common:4.1.118.Final'
++    implementation 'io.netty:netty-common:4.1.125.Final'
  }
- 
+
  /**********************************************************************************************************************\
 @@ -295,4 +305,4 @@ shadowJar {
- 
+
  processResources.dependsOn ":client:installFrontend"
  processResources.dependsOn ":client:assembleFrontend"
 -processResources.dependsOn ":client:copyClientResources"
 +processResources.dependsOn ":client:copyClientResources"
-\ No newline at end of file
 diff --git a/gradle.properties b/gradle.properties
-index ae531b3b..362fbd59 100644
+index ae531b3b..707a3a72 100644
 --- a/gradle.properties
 +++ b/gradle.properties
-@@ -3,4 +3,12 @@ confluentVersion=7.4.4
+@@ -1,6 +1,14 @@
+-micronautVersion=4.3.8
++micronautVersion=4.9.3
+ confluentVersion=7.4.4
  kafkaVersion=3.6.2
  kafkaScalaVersion=2.13
  lombokVersion=1.18.32
@@ -58,7 +60,7 @@ index ae531b3b..362fbd59 100644
 +logbackVersion=1.5.16
 +commonsCompressVersion=1.26.0
 +vertxVersion=4.4.8
-+nettyVersion=4.1.118.Final
++nettyVersion=4.1.125.Final
 +jettyHttpVersion=12.0.12
 +beansVersion=1.11.0
 \ No newline at end of file

celeborn-0.5.yaml

@@ -1,7 +1,7 @@
 package:
   name: celeborn-0.5
   version: 0.5.4
-  epoch: 6
+  epoch: 7
   description: "Apache Celeborn - A Remote Shuffle Service for Distributed Data Processing Engines"
   copyright:
     - license: Apache-2.0
@@ -43,8 +43,6 @@ pipeline:
       repository: https://github.com/apache/${{vars.base-package-name}}.git
       tag: v${{package.version}}
 
-  - uses: auth/maven
-
   - uses: maven/pombump
 
   - uses: patch

celeborn-0.5/pombump-properties.yaml

@@ -10,7 +10,7 @@ properties:
   - property: maven.plugin.silencer.version
     value: 1.7.19
   - property: netty.version
-    value: 4.1.118.Final
+    value: 4.1.125.Final
   - property: protobuf.version
     value: 3.25.5
   - property: ratis.version

kserve-modelmesh.yaml

@@ -2,7 +2,7 @@
 package:
   name: kserve-modelmesh
   version: 0.12.0
-  epoch: 15 # GHSA-4cx2-fc23-5wg6
+  epoch: 16 # GHSA-4cx2-fc23-5wg6, GHSA-3p8m-j85q-pgmj
   description: The ModelMesh framework is a mature, general-purpose model serving management/routing layer designed for high-scale, high-density and frequently-changing model use cases.
   dependencies:
     runtime:
@@ -31,16 +31,25 @@ pipeline:
       tag: v${{package.version}}
       expected-commit: f8212c75fffba9af22c3f3831ea0a8caade518d2
 
-  - uses: auth/maven
+  - uses: patch
+    with:
+      patches: netty-dep-additions.patch
 
   - uses: maven/pombump
 
+  - uses: maven/pombump
+    with:
+      properties-file: pombump-properties.yaml
+
   - name: Compile
     runs: |
       mvn -B package -Dfile.encoding=UTF8 -DskipTests=true --file pom.xml
       mkdir -p ${{targets.destdir}}/opt/kserve/mmesh
       mv /home/build/target/dockerhome/* ${{targets.destdir}}/opt/kserve/mmesh/
 
+      # Remove boringssl windows jar/DLLs
+      find ${{targets.destdir}}/opt/kserve/mmesh -name '*boringssl*windows*' -exec rm {} \;
+
       echo "$(date -d@${SOURCE_DATE_EPOCH} +%Y%m%d)-$(git rev-parse --short HEAD)" > ${{targets.destdir}}/opt/kserve/mmesh/build-version
       mkdir -p ${{targets.destdir}}/etc
       mkdir -p ${{targets.destdir}}/opt/kserve/mmesh/log

kserve-modelmesh/netty-dep-additions.patch

@@ -0,0 +1,25 @@
+diff --git a/pom.xml b/pom.xml
+index b55a1ac..a2e5f88 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -288,6 +288,20 @@
+
+   <dependencies>
+
++   <!-- Needed by com.ibm.watson.modelmesh.payload.RemotePayloadProcessor (io.netty.handler.codec.base64.*) -->
++   <dependency>
++     <groupId>io.netty</groupId>
++     <artifactId>netty-codec</artifactId>
++     <version>4.1.127.Final</version>
++   </dependency>
++
++   <!-- Commonly required by other Netty pipeline classes; keep aligned -->
++   <dependency>
++     <groupId>io.netty</groupId>
++     <artifactId>netty-handler</artifactId>
++     <version>4.1.127.Final</version>
++   </dependency>
++
+     <dependency>
+       <groupId>com.google.guava</groupId>
+       <artifactId>guava</artifactId>

kserve-modelmesh/pombump-deps.yaml

@@ -16,4 +16,7 @@ patches:
     version: "1.79"
   - groupId: io.netty
     artifactId: netty-codec-http2
-    version: 4.1.124.Final
+    version: 4.1.127.Final
+  - groupId: io.netty
+    artifactId: netty-codec
+    version: 4.1.127.Final

kserve-modelmesh/pombump-properties.yaml

@@ -0,0 +1,3 @@
+properties:
+  - property: netty-version
+    value: "4.1.127.Final"