From 882aa050ec3f8cb03a278b734130424fd5985b57 Mon Sep 17 00:00:00 2001
From: Jihoon Son <jihoonson@apache.org>
Date: Mon, 25 Oct 2021 15:23:34 -0700
Subject: [PATCH 1/3] bump netty4 to 4.1.68

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 5dfe8b399d1e..ee60c3bbf3a8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -100,7 +100,7 @@
         <mysql.version>5.1.48</mysql.version>
         <mariadb.version>2.7.3</mariadb.version>
         <netty3.version>3.10.6.Final</netty3.version>
-        <netty4.version>4.1.63.Final</netty4.version>
+        <netty4.version>4.1.68.Final</netty4.version>
         <postgresql.version>42.2.14</postgresql.version>
         <protobuf.version>3.11.0</protobuf.version>
         <resilience4j.version>1.3.1</resilience4j.version>

From cfc071d74da8cd89fb231194849d91f3eb1602f5 Mon Sep 17 00:00:00 2001
From: Jihoon Son <jihoonson@apache.org>
Date: Mon, 25 Oct 2021 15:43:59 -0700
Subject: [PATCH 2/3] suppress CVE-2021-37136 and CVE-2021-37137 for netty3

---
 owasp-dependency-check-suppressions.xml | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 8a36f7a3b7dc..b7da4e5a1676 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -162,6 +162,8 @@
     <cve>CVE-2019-16869</cve>
     <cve>CVE-2019-20444</cve>
     <cve>CVE-2019-20445</cve>
+    <cve>CVE-2021-37136</cve>
+    <cve>CVE-2021-37137</cve>
   </suppress>
   <suppress>
     <!-- TODO: Fix by upgrading hadoop-auth version -->
@@ -286,16 +288,18 @@
     <cve>CVE-2019-17571</cve>
   </suppress>
   <suppress>
-     <!--
-       - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
-       -->
-     <notes><![CDATA[
-     file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: io.netty:netty:3.10.5.Final)
-     ]]></notes>
-     <packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.5.Final$</packageUrl>
-     <cve>CVE-2019-16869</cve>
-     <cve>CVE-2019-20444</cve>
-     <cve>CVE-2019-20445</cve>
+    <!--
+      - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
+      -->
+    <notes><![CDATA[
+    file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: io.netty:netty:3.10.5.Final)
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.5.Final$</packageUrl>
+    <cve>CVE-2019-16869</cve>
+    <cve>CVE-2019-20444</cve>
+    <cve>CVE-2019-20445</cve>
+    <cve>CVE-2021-37136</cve>
+    <cve>CVE-2021-37137</cve>
   </suppress>
   <suppress>
        <!--

From d865b4b28d2c2783ed96892d9b83d70dcc8968b2 Mon Sep 17 00:00:00 2001
From: Jihoon Son <jihoonson@apache.org>
Date: Mon, 25 Oct 2021 15:49:17 -0700
Subject: [PATCH 3/3] license

---
 licenses.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/licenses.yaml b/licenses.yaml
index bc7677872a80..8312ebcd814a 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -1228,7 +1228,7 @@ name: Netty
 license_category: binary
 module: java-core
 license_name: Apache License version 2.0
-version: 4.1.63.Final
+version: 4.1.68.Final
 libraries:
   - io.netty: netty-buffer
   - io.netty: netty-codec