Port back GHSA-cmxv-58fp-fm3g to v2.12.x branch

[jsochor-s1]

I see GHSA-cmxv-58fp-fm3g was addressed in 3.0.9 release.

However, there was no fix done to the 2.12.x branch. Is it intended to be considered out of life at this point?

The reason why we didn't upgrade:

• org.asynchttpclient:async-http-client:3.0.9 depends on io.netty:netty-codec-http:4.2.9.Final, however we also have other dependencies:
• io.grpc:grpc-netty requires io.netty:netty-codec-http:4.1.x and it will probably a bit longer before it officially supports 4.2.x, for example see Will grpc-java keep up with the latest final version of netty? grpc/grpc-java#11704 (comment)

Without a fix in the 2.12.x branch, the users are eventually forced to disable followRedirect() without having a way to safely enable it.

[hyperxpro]

2.12.x branch is EoL indeed, but I will backport it since this is a security problem. I need to figure out builds, so it will take some time, but hopefully tomorrow.

[lhotari]

2.12.x branch is EoL indeed, but I will backport it since this is a security problem. I need to figure out builds, so it will take some time, but hopefully tomorrow.

Thank you @hyperxpro . This would be very useful for Apache Pulsar.