Bump io.netty:netty-all from 4.2.12.Final to 4.2.13.Final

[dependabot]

Bumps io.netty:netty-all from 4.2.12.Final to 4.2.13.Final.

Release notes

Sourced from io.netty:netty-all's releases.

netty-4.2.13.Final

CVEs Fixed

• CVE-2026-42586 (netty-codec-redis)
• CVE-2026-42578 (netty-handler-proxy)
• CVE-2026-42577 (netty-transport-native-epoll)
• CVE-2026-42587 (netty-codec-http, netty-codec-http2)
• CVE-2026-41417 (netty-codec-http)
• CVE-2026-42581 (netty-codec-http)
• CVE-2026-42580 (netty-codec-http)
• CVE-2026-42585 (netty-codec-http)
• CVE-2026-42579 (netty-codec-dns)
• CVE-2026-42582 (netty-codec-http3)
• CVE-2026-42583 (netty-codec, netty-codec-compression)
• CVE-2026-42584 (netty-codec-http)
• CVE-2026-44248 (netty-codec-mqtt)

What's Changed

• Kqueue: sendfile EINTR doesn't advance offset — data duplication by @​normanmaurer in netty/netty#16544
• Replace usage of strerror with thread-safe alternative by @​normanmaurer in netty/netty#16547
• Fix implementation of strerror_r_xsi for GNU by @​normanmaurer in netty/netty#16546
• Lazy init ArrayList in DefaultHeaders.getAll by @​doom369 in netty/netty#16526
• Less logging in AWS-LC build by @​chrisvest in netty/netty#16565
• Ensure the CRYPTO_BUFFER_POOL is also freed when we fail creating the SSLContext by @​normanmaurer in netty/netty#16545
• Auto-port 4.2: Fix IndexOutOfBoundsException in StompSubframeDecoder on heartbeat by @​netty-project-bot in netty/netty#16543
• Avoid leak in PemReader on OutOfDirectMemoryError by @​raipc in netty/netty#16551
• IoUring: Disable test while we debug to unblock other builds by @​normanmaurer in netty/netty#16581
• Include user properties and subscription IDs in MqttProperties#isEmpty by @​ShadowySpirits in netty/netty#16575
• Native DNS resolver: Guard against malloc failures by @​normanmaurer in netty/netty#16559
• Auto-port 4.2: Increase timeouts for QuicChannelConnectTest by @​netty-project-bot in netty/netty#16578
• Fix parsing HTTP chunks with multiple extensions by @​chrisvest in netty/netty#16579
• Bump org.codehaus.plexus:plexus-utils from 3.4.2 to 4.0.3 in /codec-native-quic by @​dependabot[bot] in netty/netty#16572
• Revert to PR build to Ubuntu 22.04 by @​chrisvest in netty/netty#16595
• Native transports: Correctly create pipe when pipe2 is not supported by @​normanmaurer in netty/netty#16592
• Epoll: Cleanup code to always return negative value on failure by @​normanmaurer in netty/netty#16591
• Fix component search fast path by @​yawkat in netty/netty#16548
• Stabilize read-only toStringMultipleThreads1 by @​chrisvest in netty/netty#16608
• Stabilize more AbstractByteBufTests by @​chrisvest in netty/netty#16611
• Remove note about needing 256-bit for PQC by @​chrisvest in netty/netty#16605
• Stabilize testSessionInvalidate for Conscrypt by @​chrisvest in netty/netty#16615
• Quic: Correctly handle SSL_CTX_new failures by @​normanmaurer in netty/netty#16622
• Make LocalIoHandle public by @​rdicroce in netty/netty#16621
• Quic: Fix shadowing of variable which leads to incorrectly handling errors by @​normanmaurer in netty/netty#16623
• Auto-port 4.2: Use stream error for maxContentLength exceeded in InboundHttp2ToHttpAdapter by @​netty-project-bot in netty/netty#16629
• Fix shutdownInput bug in kqueue for empty recv buffer by @​chrisvest in netty/netty#16630
• fix FFM address semantics in directBufferAddress by @​dreamlike-ocean in netty/netty#16603
• HTTP2: Ensure HTTP2 preface is always send as first message by @​normanmaurer in netty/netty#16636
• Move Http2FrameCodecSubClassTest to correct package by @​normanmaurer in netty/netty#16640
• Kqueue: Fix usage of LOCAL_PEERPID by @​normanmaurer in netty/netty#16637
• Avoid ArrayQueue allocation in HttpServerCodec by @​doom369 in netty/netty#16596
• Fix file descriptor reuse bug in kqueue by @​chrisvest in netty/netty#16650

... (truncated)

Commits

• b3844c8 [maven-release-plugin] prepare release netty-4.2.13.Final
• 82f47fa Merge commit from fork
• ada0999 Merge commit from fork
• b4051e2 Fix BrotliDecoder not forwarding all decompressed chunks
• 67207c1 Merge commit from fork
• 541ca7c Merge commit from fork
• 943edb3 Fix codec-dns tests
• 6459a28 Merge commit from fork
• b4ba61b Fix checkstyle in HttpObjectDecoder
• 977661f Merge commit from fork
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 9e31d080-0949-4a12-8764-697ed64466b9

📥 Commits

Reviewing files that changed from the base of the PR and between 3f41ce4 and 51b1adb.

📒 Files selected for processing (1)

• pom.xml

---

📝 Walkthrough

Walkthrough

This pull request updates the Netty library dependency used by the Openfire project. The netty.version Maven property in pom.xml is bumped from version 4.2.12.Final to 4.2.13.Final. This change affects all dependency declarations in the project that reference the ${netty.version} placeholder, ensuring the entire build uses the newer Netty patch version.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The PR description clearly describes the changeset: it bumps the netty-all dependency from 4.2.12.Final to 4.2.13.Final, includes detailed release notes with CVE fixes and changes, and provides context for the update.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}