[Aikido] Fix 3 critical issues in bcprov-jdk18on and 9 other issues

[aikido-autofix]

Upgrade Netty and Bouncy Castle to fix critical HTTP request smuggling, response queue mispairing, and timing channel vulnerabilities.

✅ Code not affected by breaking changes.

✅ No breaking changes from the Bouncy Castle upgrade affect this codebase. The library is only present as a transitive dependency through test frameworks (Robolectric) and is not directly used in any source code. The codebase contains no PEM parsing, PGP operations, PKCS12 handling, post-quantum cryptography, or any other Bouncy Castle functionality that would be impacted by the breaking changes listed in versions 1.79-1.84.

All breaking changes by upgrading org.bouncycastle:bcprov-jdk18on from version 1.78 to 1.84 (CHANGELOG)

Version	Description
1.79.0	The system property "org.bouncycastle.pemreader.lax" has been introduced for situations where the BC PEM parsing is now too strict.
1.81.0	Add configurable header validation to prevent malicious header injection in PGP cleartext signed messages; Fix signature packet encoding issues in PGPSignature.join() and embedded signatures while phasing out legacy format.
1.81.0	Private key encoding of ML-DSA and ML-KEM private keys now follows the latest IETF draft.
1.82.0	CBZip2InputStream no longer auto-closes at end-of-contents.
1.82.0	The legacy post-quantum package has now been removed.
1.84.0	PKCS12: Added default max iteration count of 5,000,000 (configurable via "org.bouncycastle.pkcs12.max_it_count" property).
1.84.0	CVE-2026-3505 - Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.
1.84.0	CVE-2026-5588 - PKIX draft CompositeVerifier accepts empty signature sequence as valid.

✅ 11 CVEs resolved by this upgrade, including 4 critical 🚨 CVEs

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-42581	🚨 CRITICAL	[netty-codec-http] HttpObjectDecoder fails to strip conflicting Content-Length headers in HTTP/1.0 requests with Transfer-Encoding: chunked, enabling request smuggling attacks when downstream systems trust Content-Length over Transfer-Encoding.
CVE-2026-42584	🚨 CRITICAL	[netty-codec-http] HTTP response queue mismatch allows attackers to cause request/response pairing errors, leading to body skipping and stream desynchronization that enables HTTP request smuggling and response confusion attacks.
CVE-2026-42585	HIGH	[netty-codec-http] Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CVE-2026-42580	HIGH	[netty-codec-http] Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CVE-2026-41417	MEDIUM	[netty-codec-http] Request-line validation bypass via setUri() allows CRLF injection and HTTP request smuggling attacks when attacker-controlled input modifies the URI after object creation.
CVE-2026-42587	MEDIUM	[netty-codec-http] HttpContentDecompressor fails to enforce decompression buffer limits for Brotli, Zstd, and Snappy encodings, allowing attackers to bypass decompression bomb protections and trigger out-of-memory denial of service attacks through unbounded memory allocation.
AIKIDO-2026-10630	🚨 CRITICAL	[bcprov-jdk18on] A covert timing channel vulnerability exists in Legion of the Bouncy Castle Inc. BC-JAVA core across all core modules. The issue is associated with the FrodoEngine.java component and affects BC-JAVA versions 1.71 through 1.83, fixed in 1.84.
CVE-2026-5598	🚨 CRITICAL	[bcprov-jdk18on] Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.80.1, from 1.82 before 1.84.
CVE-2026-0636	MEDIUM	[bcprov-jdk18on] An LDAP injection vulnerability in LDAPStoreHelper allows attackers to manipulate LDAP queries through improper neutralization of special elements. This could enable unauthorized access, information disclosure, or authentication bypass.
CVE-2026-42583	HIGH	[netty-codec] Lz4FrameDecoder preallocates large ByteBufs (up to 32 MB) based on untrusted decompressedLength values, allowing remote attackers to cause denial of service through memory exhaustion with minimal payload. The vulnerability requires only a 21-byte header to trigger excessive memory allocation.
CVE-2026-42578	HIGH	[netty-handler-proxy] HTTP header injection vulnerability in CONNECT requests due to disabled validation, allowing attackers to inject arbitrary headers into proxy requests. This could enable request smuggling, cache poisoning, or other HTTP-based attacks against proxy servers.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 76ee973

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR