Update netty-all-4.1.65.Final.jar to latest

[amaciejk]

logstash 8.3.3 (current latest) still uses older 4.1.65 netty via logstash-input-tcp-6.3.0 plugin:

ls logstash-8.3.3/vendor/bundle/jruby/2.5.0/gems/logstash-input-tcp-6.3.0-java/vendor/jar-dependencies/io/netty/netty-all/
4.1.65.Final

As this version of netty is vulnerable to: CVE-2021-37136 CVE-2021-37137

can it please be bumped from netty-all-4.1.65.Final.jar to at least netty-all-4.1.68.Final.jar in: https://github.com/logstash-plugins/logstash-input-tcp/blob/main/build.gradle#L46 ?

[amaciejk]

Note that in latest logstash 8.6.0 / logstash-input-tcp-6.3.1 plugin these vuls are still being found and we are also hitting CVE-2022-41881 so netty needs to go to 4.1.86 (current latest).

Previous PR to bump netty was: https://github.com/logstash-plugins/logstash-input-tcp/pull/179

@andsel

[andsel]

Thank you for your report.

Elastic's security reporting guidelines are available at https://www.elastic.co/community/security. Per those guidelines, all reports of potential security issues or vulnerabilities should be sent via email to security@elastic.co

We are unable to discuss potential issues of this nature here. Please send your report to the email address above, where it can be appropriately handled.