fix: bump netty to 4.1.118 and drop duplicate pyspark in mmlspark/release demo image (#2557)

Addresses MSRC case 110886 / incident 31000000570827.

The mmlspark/release image (built from tools/docker/demo/Dockerfile) ships
Spark 3.5.4, which pins netty 4.1.96.Final. That version is flagged for
multiple CVEs (CVE-2023-44487, CVE-2024-29025, CVE-2025-24970, ...). Spark
has not bumped netty in any 3.5.x release.

netty 4.1.x is binary-compatible, so we replace all netty-*-4.1.96.Final*.jar
files in /opt/spark/jars/ with 4.1.118.Final right after the Spark extract.
This includes netty-codec-http2 (the specific artifact named by the finder).

Also removes 'pyspark' from the conda install line. It was pulling a
complete second Spark install (PySpark 4.0.1) into
/usr/local/lib/python*/site-packages/pyspark/ that nothing in the demo image
actually used (SPARK_HOME points at /opt/spark) and that doubled the surface
area scanners report on.

Validated locally:
- /opt/spark/jars/netty-*-4.1.96.Final*.jar: 0 matches after build
- /opt/spark/jars/netty-*-4.1.118.Final*.jar: full set present
- /usr/local/lib/.../pyspark: no longer exists
- spark-submit --version: works
- spark.range(5).count(): returns 5

Jetty (shaded inside hadoop-client-runtime-3.3.4.jar at 9.4.43) is OUT OF
SCOPE for this PR; that requires a Spark/Hadoop swap and will be tracked
separately.

Author: BrendanWalsh

tools/docker/demo/Dockerfile

@@ -30,7 +30,7 @@ RUN curl -sSL https://repo.anaconda.com/miniconda/Miniconda3-latest-Linux-x86_64
     && conda tos accept --override-channels --channel https://repo.anaconda.com/pkgs/main \
     && conda tos accept --override-channels --channel https://repo.anaconda.com/pkgs/r \
     && conda update -y conda \
-    && conda install -y python=3 jupyter pyspark \
+    && conda install -y python=3 jupyter \
     && pip install --upgrade "PyJWT>=2.12.0" \
     && conda clean --all --yes
 
@@ -42,6 +42,21 @@ RUN wget https://archive.apache.org/dist/spark/spark-${SPARK_VERSION}/spark-${SP
     && mv spark-${SPARK_VERSION}-bin-hadoop${HADOOP_VERSION} /opt/spark \
     && rm spark-${SPARK_VERSION}-bin-hadoop${HADOOP_VERSION}.tgz
 
+# Patch netty 4.1.96.Final (CVE-2023-44487, CVE-2024-29025, CVE-2025-24970, ...) to 4.1.118.Final.
+# Spark 3.5.x pins netty 4.1.96 upstream; we override in-place since 4.1.x is binary-compatible.
+ENV NETTY_VERSION=4.1.118.Final
+RUN cd /opt/spark/jars \
+    && rm -f netty-*-4.1.96.Final*.jar \
+    && for c in all buffer codec codec-http codec-http2 codec-socks common handler handler-proxy resolver transport transport-classes-epoll transport-classes-kqueue transport-native-unix-common; do \
+         curl -fsSLO "https://repo1.maven.org/maven2/io/netty/netty-${c}/${NETTY_VERSION}/netty-${c}-${NETTY_VERSION}.jar"; \
+       done \
+    && for cls in linux-x86_64 linux-aarch_64; do \
+         curl -fsSLO "https://repo1.maven.org/maven2/io/netty/netty-transport-native-epoll/${NETTY_VERSION}/netty-transport-native-epoll-${NETTY_VERSION}-${cls}.jar"; \
+       done \
+    && for cls in osx-x86_64 osx-aarch_64; do \
+         curl -fsSLO "https://repo1.maven.org/maven2/io/netty/netty-transport-native-kqueue/${NETTY_VERSION}/netty-transport-native-kqueue-${NETTY_VERSION}-${cls}.jar"; \
+       done
+
 ENV SPARK_HOME /opt/spark
 ENV PYTHONPATH $SPARK_HOME/python/:$SPARK_HOME/python/lib/py4j*:$PYTHON_PATH
 ENV PATH $SPARK_HOME/bin/:$SPARK_HOME/python/:$PATH