ZOOKEEPER-4649: Upgrade netty to 4.1.86 because of CVE-2022-41915 (#1963)

Co-authored-by: Mate Szalay-Beko <symat@apache.com>

8 files changed, 172 insertions, 55 deletions

diff --git a/pom.xml b/pom.xml
index 9de520a8d..232584547 100755
--- a/pom.xml
+++ b/pom.xml
@@ -558,7 +558,7 @@
     <mockito.version>3.6.28</mockito.version>
     <hamcrest.version>2.2</hamcrest.version>
     <commons-cli.version>1.4</commons-cli.version>
-    <netty.version>4.1.76.Final</netty.version>
+    <netty.version>4.1.86.Final</netty.version>
     <jetty.version>9.4.49.v20220914</jetty.version>
     <jackson.version>2.13.2.1</jackson.version>
     <jline.version>2.14.6</jline.version>
diff --git a/zookeeper-server/src/main/resources/NOTICE.txt b/zookeeper-server/src/main/resources/NOTICE.txt
index efdd6b439..03601608e 100644
--- a/zookeeper-server/src/main/resources/NOTICE.txt
+++ b/zookeeper-server/src/main/resources/NOTICE.txt
@@ -11,10 +11,10 @@ for Airlift code can be found at:
 https://github.com/airlift/airlift/blob/master/LICENSE
 
 This product includes software developed by
-The Netty Project (http://netty.io/)
-Copyright 2011 The Netty Project
-
-The Netty NOTICE file contains the following items:
+The Netty Project (http://netty.io/) Copyright 2011 The Netty Project
+The Netty NOTICE file (https://github.com/netty/netty/blob/4.1/NOTICE.txt)
+contains the following items:
+---------------- start of netty NOTICE file ----------------
 This product contains the extensions to Java Collections Framework which has
 been derived from the works by JSR-166 EG, Doug Lea, and Jason T. Greene:
 
@@ -32,29 +32,112 @@ Base64 Encoder and Decoder, which can be obtained at:
   * HOMEPAGE:
     * http://iharder.sourceforge.net/current/java/base64/
 
-This product contains a modified version of 'JZlib', a re-implementation of
-zlib in pure Java, which can be obtained at:
+This product contains a modified portion of 'Webbit', an event based
+WebSocket and HTTP server, which can be obtained at:
+
+  * LICENSE:
+    * license/LICENSE.webbit.txt (BSD License)
+  * HOMEPAGE:
+    * https://github.com/joewalnes/webbit
+
+This product contains a modified portion of 'SLF4J', a simple logging
+facade for Java, which can be obtained at:
+
+  * LICENSE:
+    * license/LICENSE.slf4j.txt (MIT License)
+  * HOMEPAGE:
+    * https://www.slf4j.org/
+
+This product contains a modified portion of 'Apache Harmony', an open source
+Java SE, which can be obtained at:
 
+  * NOTICE:
+    * license/NOTICE.harmony.txt
   * LICENSE:
-    * license/LICENSE.jzlib.txt (BSD Style License)
+    * license/LICENSE.harmony.txt (Apache License 2.0)
+  * HOMEPAGE:
+    * https://archive.apache.org/dist/harmony/
+
+This product contains a modified portion of 'jbzip2', a Java bzip2 compression
+and decompression library written by Matthew J. Francis. It can be obtained at:
+
+  * LICENSE:
+    * license/LICENSE.jbzip2.txt (MIT License)
+  * HOMEPAGE:
+    * https://code.google.com/p/jbzip2/
+
+This product contains a modified portion of 'libdivsufsort', a C API library to construct
+the suffix array and the Burrows-Wheeler transformed string for any input string of
+a constant-size alphabet written by Yuta Mori. It can be obtained at:
+
+  * LICENSE:
+    * license/LICENSE.libdivsufsort.txt (MIT License)
+  * HOMEPAGE:
+    * https://github.com/y-256/libdivsufsort
+
+This product contains a modified portion of Nitsan Wakart's 'JCTools', Java Concurrency Tools for the JVM,
+ which can be obtained at:
+
+  * LICENSE:
+    * license/LICENSE.jctools.txt (ASL2 License)
+  * HOMEPAGE:
+    * https://github.com/JCTools/JCTools
+
+This product optionally depends on 'JZlib', a re-implementation of zlib in
+pure Java, which can be obtained at:
+
+  * LICENSE:
+    * license/LICENSE.jzlib.txt (BSD style License)
   * HOMEPAGE:
     * http://www.jcraft.com/jzlib/
 
-This product contains a modified version of 'Webbit', a Java event based
-WebSocket and HTTP server:
+This product optionally depends on 'Compress-LZF', a Java library for encoding and
+decoding data in LZF format, written by Tatu Saloranta. It can be obtained at:
 
   * LICENSE:
-    * license/LICENSE.webbit.txt (BSD License)
+    * license/LICENSE.compress-lzf.txt (Apache License 2.0)
   * HOMEPAGE:
-    * https://github.com/joewalnes/webbit
+    * https://github.com/ning/compress
+
+This product optionally depends on 'lz4', a LZ4 Java compression
+and decompression library written by Adrien Grand. It can be obtained at:
+
+  * LICENSE:
+    * license/LICENSE.lz4.txt (Apache License 2.0)
+  * HOMEPAGE:
+    * https://github.com/jpountz/lz4-java
+
+This product optionally depends on 'lzma-java', a LZMA Java compression
+and decompression library, which can be obtained at:
 
-This product optionally depends on 'Protocol Buffers', Google's data
+  * LICENSE:
+    * license/LICENSE.lzma-java.txt (Apache License 2.0)
+  * HOMEPAGE:
+    * https://github.com/jponge/lzma-java
+
+This product optionally depends on 'zstd-jni', a zstd-jni Java compression
+and decompression library, which can be obtained at:
+
+  * LICENSE:
+    * license/LICENSE.zstd-jni.txt (Apache License 2.0)
+  * HOMEPAGE:
+    * https://github.com/luben/zstd-jni
+
+This product contains a modified portion of 'jfastlz', a Java port of FastLZ compression
+and decompression library written by William Kinney. It can be obtained at:
+
+  * LICENSE:
+    * license/LICENSE.jfastlz.txt (MIT License)
+  * HOMEPAGE:
+    * https://code.google.com/p/jfastlz/
+
+This product contains a modified portion of and optionally depends on 'Protocol Buffers', Google's data
 interchange format, which can be obtained at:
 
   * LICENSE:
     * license/LICENSE.protobuf.txt (New BSD License)
   * HOMEPAGE:
-    * http://code.google.com/p/protobuf/
+    * https://github.com/google/protobuf
 
 This product optionally depends on 'Bouncy Castle Crypto APIs' to generate
 a temporary self-signed X.509 certificate when the JVM does not provide the
@@ -63,15 +146,31 @@ equivalent functionality.  It can be obtained at:
   * LICENSE:
     * license/LICENSE.bouncycastle.txt (MIT License)
   * HOMEPAGE:
-    * http://www.bouncycastle.org/
+    * https://www.bouncycastle.org/
 
-This product optionally depends on 'SLF4J', a simple logging facade for Java,
-which can be obtained at:
+This product optionally depends on 'Snappy', a compression library produced
+by Google Inc, which can be obtained at:
 
   * LICENSE:
-    * license/LICENSE.slf4j.txt (MIT License)
+    * license/LICENSE.snappy.txt (New BSD License)
   * HOMEPAGE:
-    * http://www.slf4j.org/
+    * https://github.com/google/snappy
+
+This product optionally depends on 'JBoss Marshalling', an alternative Java
+serialization API, which can be obtained at:
+
+  * LICENSE:
+    * license/LICENSE.jboss-marshalling.txt (Apache License 2.0)
+  * HOMEPAGE:
+    * https://github.com/jboss-remoting/jboss-marshalling
+
+This product optionally depends on 'Caliper', Google's micro-
+benchmarking framework, which can be obtained at:
+
+  * LICENSE:
+    * license/LICENSE.caliper.txt (Apache License 2.0)
+  * HOMEPAGE:
+    * https://github.com/google/caliper
 
 This product optionally depends on 'Apache Commons Logging', a logging
 framework, which can be obtained at:
@@ -79,61 +178,79 @@ framework, which can be obtained at:
   * LICENSE:
     * license/LICENSE.commons-logging.txt (Apache License 2.0)
   * HOMEPAGE:
-    * http://commons.apache.org/logging/
+    * https://commons.apache.org/logging/
 
-This product optionally depends on 'Apache Logback', a logging framework,
-which can be obtained at:
+This product optionally depends on 'Apache Log4J', a logging framework, which
+can be obtained at:
 
   * LICENSE:
-    * license/LICENSE.logback.txt (Eclipse Public License 1.0)
+    * license/LICENSE.log4j.txt (Apache License 2.0)
   * HOMEPAGE:
-    * https://logback.qos.ch/
+    * https://logging.apache.org/log4j/
 
-This product optionally depends on 'JBoss Logging', a logging framework,
-which can be obtained at:
+This product optionally depends on 'Aalto XML', an ultra-high performance
+non-blocking XML processor, which can be obtained at:
 
   * LICENSE:
-    * license/LICENSE.jboss-logging.txt (GNU LGPL 2.1)
+    * license/LICENSE.aalto-xml.txt (Apache License 2.0)
   * HOMEPAGE:
-    * http://anonsvn.jboss.org/repos/common/common-logging-spi/
+    * https://wiki.fasterxml.com/AaltoHome
 
-This product optionally depends on 'Apache Felix', an open source OSGi
-framework implementation, which can be obtained at:
+This product contains a modified version of 'HPACK', a Java implementation of
+the HTTP/2 HPACK algorithm written by Twitter. It can be obtained at:
 
   * LICENSE:
-    * license/LICENSE.felix.txt (Apache License 2.0)
+    * license/LICENSE.hpack.txt (Apache License 2.0)
   * HOMEPAGE:
-    * http://felix.apache.org/
+    * https://github.com/twitter/hpack
 
-The bundled library Metrics Core NOTICE file reports the following items
+This product contains a modified version of 'HPACK', a Java implementation of
+the HTTP/2 HPACK algorithm written by Cory Benfield. It can be obtained at:
 
-Metrics
-Copyright 2010-2013 Coda Hale and Yammer, Inc.
+  * LICENSE:
+    * license/LICENSE.hyper-hpack.txt (MIT License)
+  * HOMEPAGE:
+    * https://github.com/python-hyper/hpack/
 
-This product includes software developed by Coda Hale and Yammer, Inc.
+This product contains a modified version of 'HPACK', a Java implementation of
+the HTTP/2 HPACK algorithm written by Tatsuhiro Tsujikawa. It can be obtained at:
 
-This product includes code derived from the JSR-166 project (ThreadLocalRandom, Striped64,
-LongAdder), which was released with the following comments:
+  * LICENSE:
+    * license/LICENSE.nghttp2-hpack.txt (MIT License)
+  * HOMEPAGE:
+    * https://github.com/nghttp2/nghttp2/
 
-    Written by Doug Lea with assistance from members of JCP JSR-166
-    Expert Group and released to the public domain, as explained at
-    http://creativecommons.org/publicdomain/zero/1.0/
+This product contains a modified portion of 'Apache Commons Lang', a Java library
+provides utilities for the java.lang API, which can be obtained at:
 
-The Nappy Java NOTICE file reports the following items:
+  * LICENSE:
+    * license/LICENSE.commons-lang.txt (Apache License 2.0)
+  * HOMEPAGE:
+    * https://commons.apache.org/proper/commons-lang/
 
-This product includes software developed by Google
- Snappy: http://code.google.com/p/snappy/ (New BSD License)
 
-This product includes software developed by Apache
- PureJavaCrc32C from apache-hadoop-common http://hadoop.apache.org/
- (Apache 2.0 license)
+This product contains the Maven wrapper scripts from 'Maven Wrapper', that provides an easy way to ensure a user has everything necessary to run the Maven build.
 
-This library containd statically linked libstdc++. This inclusion is allowed by
-"GCC RUntime Library Exception"
-http://gcc.gnu.org/onlinedocs/libstdc++/manual/license.html
+  * LICENSE:
+    * license/LICENSE.mvn-wrapper.txt (Apache License 2.0)
+  * HOMEPAGE:
+    * https://github.com/takari/maven-wrapper
+
+This product contains the dnsinfo.h header file, that provides a way to retrieve the system DNS configuration on MacOS.
+This private header is also used by Apple's open source
+ mDNSResponder (https://opensource.apple.com/tarballs/mDNSResponder/).
+
+ * LICENSE:
+    * license/LICENSE.dnsinfo.txt (Apple Public Source License 2.0)
+  * HOMEPAGE:
+    * https://www.opensource.apple.com/source/configd/configd-453.19/dnsinfo/dnsinfo.h
+
+This product optionally depends on 'Brotli4j', Brotli compression and
+decompression for Java., which can be obtained at:
+
+  * LICENSE:
+    * license/LICENSE.brotli4j.txt (Apache License 2.0)
+  * HOMEPAGE:
+    * https://github.com/hyperxpro/Brotli4j
 
-== Contributors ==
-  * Tatu Saloranta
-    * Providing benchmark suite
-  * Alec Wysoker
-    * Performance and memory usage improvement
+---------------- end of netty NOTICE file ----------------
\ No newline at end of file
diff --git a/zookeeper-server/src/main/resources/lib/netty-buffer-4.1.76.Final.LICENSE.txt b/zookeeper-server/src/main/resources/lib/netty-buffer-4.1.86.Final.LICENSE.txt
index 6279e5206..6279e5206 100644
--- a/zookeeper-server/src/main/resources/lib/netty-buffer-4.1.76.Final.LICENSE.txt
+++ b/zookeeper-server/src/main/resources/lib/netty-buffer-4.1.86.Final.LICENSE.txt
diff --git a/zookeeper-server/src/main/resources/lib/netty-codec-4.1.76.Final.LICENSE.txt b/zookeeper-server/src/main/resources/lib/netty-codec-4.1.86.Final.LICENSE.txt
index 6279e5206..6279e5206 100644
--- a/zookeeper-server/src/main/resources/lib/netty-codec-4.1.76.Final.LICENSE.txt
+++ b/zookeeper-server/src/main/resources/lib/netty-codec-4.1.86.Final.LICENSE.txt
diff --git a/zookeeper-server/src/main/resources/lib/netty-handler-4.1.76.Final.LICENSE.txt b/zookeeper-server/src/main/resources/lib/netty-handler-4.1.86.Final.LICENSE.txt
index 6279e5206..6279e5206 100644
--- a/zookeeper-server/src/main/resources/lib/netty-handler-4.1.76.Final.LICENSE.txt
+++ b/zookeeper-server/src/main/resources/lib/netty-handler-4.1.86.Final.LICENSE.txt
diff --git a/zookeeper-server/src/main/resources/lib/netty-resolver-4.1.76.Final.LICENSE.txt b/zookeeper-server/src/main/resources/lib/netty-resolver-4.1.86.Final.LICENSE.txt
index 6279e5206..6279e5206 100644
--- a/zookeeper-server/src/main/resources/lib/netty-resolver-4.1.76.Final.LICENSE.txt
+++ b/zookeeper-server/src/main/resources/lib/netty-resolver-4.1.86.Final.LICENSE.txt
diff --git a/zookeeper-server/src/main/resources/lib/netty-transport-native-epoll-4.1.76.Final.LICENSE.txt b/zookeeper-server/src/main/resources/lib/netty-transport-native-epoll-4.1.86.Final.LICENSE.txt
index 6279e5206..6279e5206 100644
--- a/zookeeper-server/src/main/resources/lib/netty-transport-native-epoll-4.1.76.Final.LICENSE.txt
+++ b/zookeeper-server/src/main/resources/lib/netty-transport-native-epoll-4.1.86.Final.LICENSE.txt
diff --git a/zookeeper-server/src/main/resources/lib/netty-transport-native-unix-common-4.1.76.Final.LICENSE.txt b/zookeeper-server/src/main/resources/lib/netty-transport-native-unix-common-4.1.86.Final.LICENSE.txt
index 6279e5206..6279e5206 100644
--- a/zookeeper-server/src/main/resources/lib/netty-transport-native-unix-common-4.1.76.Final.LICENSE.txt
+++ b/zookeeper-server/src/main/resources/lib/netty-transport-native-unix-common-4.1.86.Final.LICENSE.txt