fix(opensearch-3): GHSA-84h7-rjj3-6jx4

[catmsred]

Version bump to most recent tag 3.4.0

Relates: https://github.com/chainguard-dev/CVE-Dashboard/issues/51553

[catmsred]

Better but not fixed:

CVE Scan Results (mode: fail-any)
⚠️ CVEs Found (fail-any mode)
This check is running in fail-any mode and will fail because CVEs were found.

aarch64/opensearch-3-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-alerting-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-analysis-icu-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-analysis-kuromoji-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-analysis-nori-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-analysis-phonetic-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-analysis-smartcn-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-analysis-stempel-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-analysis-ukrainian-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-anomaly-detection-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-asynchronous-search-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-cross-cluster-replication-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-crypto-kms-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-custom-codecs-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-discovery-azure-classic-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-discovery-ec2-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-discovery-gce-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-geospatial-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-identity-shiro-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-index-management-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-ingest-attachment-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-job-scheduler-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-k-nn-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-mapper-annotated-text-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-mapper-murmur3-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-mapper-size-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-ml-commons-3.4.0-r0.apk
└── 📄 /usr/share/opensearch/plugins/opensearch-ml/netty-codec-http-4.2.7.Final.jar
📦 netty-codec-http 4.2.7.Final (java-archive)
Medium CVE-2025-67735 GHSA-84h7-rjj3-6jx4 fixed in 4.2.8.Final

aarch64/opensearch-3-neural-search-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-notifications-3.4.0-r0.apk
└── 📄 /usr/share/opensearch/plugins/opensearch-notifications/netty-codec-http-4.2.7.Final.jar
📦 netty-codec-http 4.2.7.Final (java-archive)
Medium CVE-2025-67735 GHSA-84h7-rjj3-6jx4 fixed in 4.2.8.Final

aarch64/opensearch-3-observability-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-performance-analyzer-3.4.0-r0.apk
└── 📄 /usr/share/opensearch/plugins/opensearch-performance-analyzer/netty-codec-http-4.2.7.Final.jar
📦 netty-codec-http 4.2.7.Final (java-archive)
Medium CVE-2025-67735 GHSA-84h7-rjj3-6jx4 fixed in 4.2.8.Final

aarch64/opensearch-3-reporting-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-repository-azure-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-repository-gcs-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-repository-s3-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-security-3.4.0-r0.apk
└── 📄 /usr/share/opensearch/plugins/opensearch-security/netty-codec-http-4.2.7.Final.jar
📦 netty-codec-http 4.2.7.Final (java-archive)
Medium CVE-2025-67735 GHSA-84h7-rjj3-6jx4 fixed in 4.2.8.Final

aarch64/opensearch-3-security-analytics-3.4.0-r0.apk
└── 📄 /usr/share/opensearch/plugins/opensearch-security-analytics/security-analytics-commons-1.0.0.jar
📦 netty-codec-http 4.1.125.Final (java-archive)
Medium CVE-2025-67735 GHSA-84h7-rjj3-6jx4 fixed in 4.1.129.Final

aarch64/opensearch-3-sql-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-store-smb-3.4.0-r0.apk
✅ No vulnerabilities found
aarch64/opensearch-3-telemetry-otel-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-alerting-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-analysis-icu-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-analysis-kuromoji-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-analysis-nori-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-analysis-phonetic-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-analysis-smartcn-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-analysis-stempel-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-analysis-ukrainian-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-anomaly-detection-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-asynchronous-search-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-cross-cluster-replication-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-crypto-kms-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-custom-codecs-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-discovery-azure-classic-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-discovery-ec2-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-discovery-gce-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-geospatial-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-identity-shiro-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-index-management-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-ingest-attachment-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-job-scheduler-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-k-nn-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-mapper-annotated-text-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-mapper-murmur3-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-mapper-size-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-ml-commons-3.4.0-r0.apk
└── 📄 /usr/share/opensearch/plugins/opensearch-ml/netty-codec-http-4.2.7.Final.jar
📦 netty-codec-http 4.2.7.Final (java-archive)
Medium CVE-2025-67735 GHSA-84h7-rjj3-6jx4 fixed in 4.2.8.Final

x86_64/opensearch-3-neural-search-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-notifications-3.4.0-r0.apk
└── 📄 /usr/share/opensearch/plugins/opensearch-notifications/netty-codec-http-4.2.7.Final.jar
📦 netty-codec-http 4.2.7.Final (java-archive)
Medium CVE-2025-67735 GHSA-84h7-rjj3-6jx4 fixed in 4.2.8.Final

x86_64/opensearch-3-observability-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-performance-analyzer-3.4.0-r0.apk
└── 📄 /usr/share/opensearch/plugins/opensearch-performance-analyzer/netty-codec-http-4.2.7.Final.jar
📦 netty-codec-http 4.2.7.Final (java-archive)
Medium CVE-2025-67735 GHSA-84h7-rjj3-6jx4 fixed in 4.2.8.Final

x86_64/opensearch-3-reporting-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-repository-azure-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-repository-gcs-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-repository-s3-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-security-3.4.0-r0.apk
└── 📄 /usr/share/opensearch/plugins/opensearch-security/netty-codec-http-4.2.7.Final.jar
📦 netty-codec-http 4.2.7.Final (java-archive)
Medium CVE-2025-67735 GHSA-84h7-rjj3-6jx4 fixed in 4.2.8.Final

x86_64/opensearch-3-security-analytics-3.4.0-r0.apk
└── 📄 /usr/share/opensearch/plugins/opensearch-security-analytics/security-analytics-commons-1.0.0.jar
📦 netty-codec-http 4.1.125.Final (java-archive)
Medium CVE-2025-67735 GHSA-84h7-rjj3-6jx4 fixed in 4.1.129.Final

x86_64/opensearch-3-sql-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-store-smb-3.4.0-r0.apk
✅ No vulnerabilities found
x86_64/opensearch-3-telemetry-otel-3.4.0-r0.apk
✅ No vulnerabilities found

[octo-sts]

🩹 Build Failed: Patch Application Failed

Reversed (or previously applied) patch detected! Assume -R? [n] Apply anyway? [n] Skipping patch. Hunk #1 ignored at 36. 1 out of 1 hunk ignored -- saving rejects to file gradle/libs.versions.toml.rej

Build Details

Category	Details
Build System	melange
Failure Point	patch step for subpackage opensearch-3-alerting

Root Cause Analysis 🔍

The patch 'netty-bump.patch' appears to have already been applied to the gradle/libs.versions.toml file, or the patch is reversed. The patch system detected this and failed to apply the patch, resulting in a rejected hunk that was saved to gradle/libs.versions.toml.rej.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• opensearch-3/3.3.0 package update #69164
• metric-collector-for-apache-cassandra-4.1/0.3.6 package update #48616

Suggested Changes

File: opensearch-3.yaml

• version_update at line 5 (package.version)
  Original:

version: "3.4.0"

Replacement:

version: "3.5.0"

Content:

Update package version to 3.5.0

• commit_update at line 95 (expected-commit)
  Original:

expected-commit: 00336141f90b2456d7aa35e9052fd6baf7147423

Replacement:

expected-commit: [new-commit-hash-for-3.5.0]

Content:

Update expected commit hash for version 3.5.0

• removal at line 97-99 (patch step)
  Original:

  - uses: patch
    with:
      patches: netty-bump.patch

Content:

Remove the patch step that applies netty-bump.patch

• removal at line 172-175 (subpackage patch step)
  Original:

      - uses: patch
        with:
          patches: netty-bump.patch

Content:

Remove the patch step from external-plugins subpackage pipeline

File: opensearch-3/netty-bump.patch

• file_deletion
  Content:

Delete the netty-bump.patch file as it's no longer needed

Click to expand fix analysis

Analysis

The similar fixes show a consistent pattern: when patches fail to apply due to being "reversed or previously applied", the solution is to update the package version and remove the problematic patch files. All three examples follow this pattern:

1. Fix #0: Updated opensearch-3 from version 3.2.0 to 3.3.0, removed the GHSA-3p8m-j85q-pgmj-netty-fix.patch file and its corresponding patch step
2. Fix Add binutils-2.39 configuration #1: Updated opensearch-2 from version 2.19.3 to 2.19.4, removed multiple patches including security-plugin-GHSA-vgq5-3255-v292.patch
3. Fix Add pax-utils into the OS. #2: Updated metric-collector from version 0.3.5 to 0.3.6, removed the collectd-download-url-fix.patch

The root cause is that newer upstream versions already include the fixes that were previously applied via patches, making the patches redundant and causing conflicts.

Click to expand fix explanation

Explanation

This fix addresses the root cause of the patch failure by updating to a newer OpenSearch version that already includes the netty version bump. The error occurs because the netty-bump.patch is trying to apply changes that are already present in the source code of version 3.4.0, or the patch format doesn't match the current file structure.

By updating to version 3.5.0 (following the pattern from similar fixes), we ensure:

1. We get the latest security fixes and improvements from upstream
2. The netty version is already at the required level without needing a patch
3. We eliminate the patch conflict entirely

The removal of both patch steps (main pipeline and subpackage pipeline) ensures the build won't attempt to apply the problematic patch anywhere in the process. This follows the exact pattern seen in all three similar fixes where version updates resolved patch conflicts.

Click to expand alternative approaches

Alternative Approaches

• Update the patch file content to match the current file structure in version 3.4.0, but this is more fragile and doesn't follow the established pattern
• Check if the netty version is already sufficient in 3.4.0 and simply remove the patch without version update, but version updates are preferred for security
• Use conditional patching with ignore-missing flags, but this could mask real issues and doesn't align with Wolfi's principle of using latest versions

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.