Upgrade netty-tcnative to 2.0.61.Final

This updates the version of boringssl and removes the dependency on APR.
netty-tcnative 2.0.56.Final uses APR 1.7.0, so is in scope for
CVE-2021-35940, CVE-2022-28331, and CVE-2022-24963. netty-tcnative is
not actually vulnerable. The binary does not include apr_socket_sendv(),
apr_encode_*(), apr_pencode_*(), apr_decode_*(), apr_pdecode_*(). The
binary does include apr_time_exp_*() but it is unused code.
Unfortunately --gc-sections wasn't used during compilation.
apr_time_now() is used, but that just calls gettimeofday() and is not
vulnerable.

There's no panic here, but this updates netty-tcnative just a few weeks
before we would have ordinarily done so. Bumping the version makes life
easier for everyone.

SECURITY.md

@@ -394,7 +394,8 @@ grpc-netty version | netty-handler version | netty-tcnative-boringssl-static ver
 1.44.x-1.47.x      | 4.1.72.Final          | 2.0.46.Final
 1.48.x-1.49.x      | 4.1.77.Final          | 2.0.53.Final
 1.50.x-1.53.x      | 4.1.79.Final          | 2.0.54.Final
-1.54.x-            | 4.1.87.Final          | 2.0.56.Final
+1.54.x-1.55.x      | 4.1.87.Final          | 2.0.56.Final
+1.56.x-            | 4.1.87.Final          | 2.0.61.Final
 
 _(grpc-netty-shaded avoids issues with keeping these versions in sync.)_
 

examples/example-tls/pom.xml

@@ -14,7 +14,6 @@
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <grpc.version>1.56.0-SNAPSHOT</grpc.version><!-- CURRENT_GRPC_VERSION -->
     <protoc.version>3.22.3</protoc.version>
-    <netty.tcnative.version>2.0.56.Final</netty.tcnative.version>
     <!-- required for jdk9 -->
     <maven.compiler.source>1.8</maven.compiler.source>
     <maven.compiler.target>1.8</maven.compiler.target>

examples/example-xds/build.gradle

@@ -23,7 +23,6 @@ targetCompatibility = 1.8
 // Feel free to delete the comment at the next line. It is just for safely
 // updating the version in our release process.
 def grpcVersion = '1.56.0-SNAPSHOT' // CURRENT_GRPC_VERSION
-def nettyTcNativeVersion = '2.0.56.Final'
 def protocVersion = '3.22.3'
 
 dependencies {

gradle/libs.versions.toml

@@ -4,7 +4,9 @@
 googleauth = "1.4.0"
 guava = "31.1-android"
 netty = '4.1.87.Final'
-nettytcnative = '2.0.56.Final'
+# Keep the following references of tcnative version in sync whenever it's updated:
+#   SECURITY.md
+nettytcnative = '2.0.61.Final'
 opencensus = "0.31.1"
 protobuf = "3.22.3"
 
@@ -46,10 +48,6 @@ mockito-android = "org.mockito:mockito-android:3.12.4"
 mockito-core = "org.mockito:mockito-core:3.12.4"
 netty-codec-http2 = { module = "io.netty:netty-codec-http2", version.ref = "netty" }
 netty-handler-proxy = { module = "io.netty:netty-handler-proxy", version.ref = "netty" }
-# Keep the following references of tcnative version in sync whenever it's updated:
-#   SECURITY.md (multiple occurrences)
-#   examples/example-tls/build.gradle
-#   examples/example-tls/pom.xml
 netty-tcnative = { module = "io.netty:netty-tcnative-boringssl-static", version.ref = "nettytcnative" }
 netty-tcnative-classes = { module = "io.netty:netty-tcnative-classes", version.ref = "nettytcnative" }
 netty-transport-epoll = { module = "io.netty:netty-transport-native-epoll", version.ref = "netty" }

repositories.bzl

@@ -34,8 +34,8 @@ IO_GRPC_GRPC_JAVA_ARTIFACTS = [
     "io.netty:netty-handler-proxy:4.1.87.Final",
     "io.netty:netty-handler:4.1.87.Final",
     "io.netty:netty-resolver:4.1.87.Final",
-    "io.netty:netty-tcnative-boringssl-static:2.0.56.Final",
-    "io.netty:netty-tcnative-classes:2.0.56.Final",
+    "io.netty:netty-tcnative-boringssl-static:2.0.61.Final",
+    "io.netty:netty-tcnative-classes:2.0.61.Final",
     "io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.87.Final",
     "io.netty:netty-transport-native-unix-common:4.1.87.Final",
     "io.netty:netty-transport:4.1.87.Final",