From 6d0644710025c113cc1fcc1592e94a524c853531 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?JB=20Onofr=C3=A9?= <jbonofre@apache.org>
Date: Wed, 20 May 2026 19:01:20 +0200
Subject: [PATCH] Bump dependencies to address known CVEs

- netty 4.1.94.Final -> 4.1.133.Final (CVE-2024-29025, CVE-2025-58057, SslHandler native crash patched in 4.1.118.Final)
- snappy 1.1.2 -> 1.1.10.8 (CVE-2023-34453/34454/34455, CVE-2023-43642)
- karaf 4.3.7 -> 4.3.10 (CVE-2022-40145 JNDI LDAP RCE)
---
 pom.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pom.xml b/pom.xml
index dfb76d0de33..bf36609a461 100644
--- a/pom.xml
+++ b/pom.xml
@@ -87,7 +87,7 @@
     <json-simple-version>1.1.1</json-simple-version>
     <junit-version>4.13.2</junit-version>
     <hamcrest-version>1.3</hamcrest-version>
-    <karaf-version>4.3.7</karaf-version>
+    <karaf-version>4.3.10</karaf-version>
     <log4j-version>2.25.3</log4j-version>
     <mockito-version>4.8.1</mockito-version>
     <owasp-dependency-check-version>12.1.0</owasp-dependency-check-version>
@@ -98,12 +98,12 @@
     <zookeeper-version>3.4.14</zookeeper-version>
     <qpid-proton-version>0.34.1</qpid-proton-version>
     <qpid-jms-version>1.9.0</qpid-jms-version>
-    <netty-version>4.1.94.Final</netty-version>
+    <netty-version>4.1.133.Final</netty-version>
     <regexp-version>1.4</regexp-version>
     <rome-version>2.1.0</rome-version>
     <shiro-version>1.13.0</shiro-version>
     <slf4j-version>2.0.17</slf4j-version>
-    <snappy-version>1.1.2</snappy-version>
+    <snappy-version>1.1.10.8</snappy-version>
     <spring-version>5.3.39</spring-version>
     <taglibs-version>1.2.5</taglibs-version>
     <velocity-version>2.4.1</velocity-version>