From 47c34ad3b18f502be265565f0dfb8fe737b6af27 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts@users.noreply.github.com>
Date: Thu, 23 Oct 2025 19:07:50 +0000
Subject: [PATCH] celeborn-0.6/0.6.1-r0: fix GHSA-prj3-ccx8-p6x4
 <!--ci-cve-scan:must-fix: GHSA-prj3-ccx8-p6x4-->

---
 celeborn-0.6.yaml              | 2 +-
 celeborn-0.6/pombump-deps.yaml | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/celeborn-0.6.yaml b/celeborn-0.6.yaml
index e27c9a0dff2..9ba5f09e63f 100644
--- a/celeborn-0.6.yaml
+++ b/celeborn-0.6.yaml
@@ -1,7 +1,7 @@
 package:
   name: celeborn-0.6
   version: "0.6.1"
-  epoch: 0 # GHSA-jq43-27x9-3v86
+  epoch: 1 # GHSA-prj3-ccx8-p6x4
   description: "Apache Celeborn - A Remote Shuffle Service for Distributed Data Processing Engines"
   copyright:
     - license: Apache-2.0
diff --git a/celeborn-0.6/pombump-deps.yaml b/celeborn-0.6/pombump-deps.yaml
index 3b84653ee0a..01530d2c0a5 100644
--- a/celeborn-0.6/pombump-deps.yaml
+++ b/celeborn-0.6/pombump-deps.yaml
@@ -8,3 +8,6 @@ patches:
   - groupId: io.netty
     artifactId: netty-codec-smtp
     version: 4.1.128.Final
+  - groupId: io.netty
+    artifactId: netty-codec-http2
+    version: 4.1.124.Final