[SPARK-18586][BUILD] netty-3.8.0.Final.jar has vulnerability CVE-2014-3488 and CVE-2014-0193

## What changes were proposed in this pull request?

Force update to latest Netty 3.9.x, for dependencies like Flume, to resolve two CVEs. 3.9.2 is the first version that resolves both, and, this is the latest in the 3.9.x line.

## How was this patch tested?

Existing tests

Author: Sean Owen <sowen@cloudera.com>

Closes #16102 from srowen/SPARK-18586.

dev/deps/spark-deps-hadoop-2.2

@@ -122,7 +122,7 @@ metrics-graphite-3.1.2.jar
 metrics-json-3.1.2.jar
 metrics-jvm-3.1.2.jar
 minlog-1.3.0.jar
-netty-3.8.0.Final.jar
+netty-3.9.9.Final.jar
 netty-all-4.0.42.Final.jar
 objenesis-2.1.jar
 opencsv-2.3.jar

dev/deps/spark-deps-hadoop-2.3

@@ -129,7 +129,7 @@ metrics-json-3.1.2.jar
 metrics-jvm-3.1.2.jar
 minlog-1.3.0.jar
 mx4j-3.0.2.jar
-netty-3.8.0.Final.jar
+netty-3.9.9.Final.jar
 netty-all-4.0.42.Final.jar
 objenesis-2.1.jar
 opencsv-2.3.jar

dev/deps/spark-deps-hadoop-2.4

@@ -129,7 +129,7 @@ metrics-json-3.1.2.jar
 metrics-jvm-3.1.2.jar
 minlog-1.3.0.jar
 mx4j-3.0.2.jar
-netty-3.8.0.Final.jar
+netty-3.9.9.Final.jar
 netty-all-4.0.42.Final.jar
 objenesis-2.1.jar
 opencsv-2.3.jar

dev/deps/spark-deps-hadoop-2.6

@@ -137,7 +137,7 @@ metrics-json-3.1.2.jar
 metrics-jvm-3.1.2.jar
 minlog-1.3.0.jar
 mx4j-3.0.2.jar
-netty-3.8.0.Final.jar
+netty-3.9.9.Final.jar
 netty-all-4.0.42.Final.jar
 objenesis-2.1.jar
 opencsv-2.3.jar

dev/deps/spark-deps-hadoop-2.7

@@ -138,7 +138,7 @@ metrics-json-3.1.2.jar
 metrics-jvm-3.1.2.jar
 minlog-1.3.0.jar
 mx4j-3.0.2.jar
-netty-3.8.0.Final.jar
+netty-3.9.9.Final.jar
 netty-all-4.0.42.Final.jar
 objenesis-2.1.jar
 opencsv-2.3.jar

pom.xml

@@ -557,7 +557,7 @@
       <dependency>
         <groupId>io.netty</groupId>
         <artifactId>netty</artifactId>
-        <version>3.8.0.Final</version>
+        <version>3.9.9.Final</version>
       </dependency>
       <dependency>
         <groupId>org.apache.derby</groupId>