Your message dated Thu, 27 Nov 2025 20:56:02 +0000
with message-id <[email protected]>
and subject line Bug#1113995: fixed in netty 1:4.1.48-13
has caused the Debian Bug report #1113995,
regarding netty: CVE-2025-58056
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1113995: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113995
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: netty
Version: 1:4.1.48-10
Severity: important
Tags: security upstream
Forwarded: https://github.com/netty/netty/issues/15522
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for netty.
CVE-2025-58056[0]:
| Netty is an asynchronous event-driven network application framework
| for development of maintainable high performance protocol servers
| and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through
| 4.2.4.Final, Netty incorrectly accepts standalone newline characters
| (LF) as a chunk-size line terminator, regardless of a preceding
| carriage return (CR), instead of requiring CRLF per HTTP/1.1
| standards. When combined with reverse proxies that parse LF
| differently (treating it as part of the chunk extension), attackers
| can craft requests that the proxy sees as one request but Netty
| processes as two, enabling request smuggling attacks. This is fixed
| in versions 4.1.125.Final and 4.2.5.Final.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-58056
https://www.cve.org/CVERecord?id=CVE-2025-58056
[1] https://github.com/netty/netty/security/advisories/GHSA-fghv-69vj-qj49
[2] https://github.com/netty/netty/issues/15522
[3] https://github.com/netty/netty/pull/15611
[4]
https://github.com/netty/netty/commit/edb55fd8e0a3bcbd85881e423464f585183d1284
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: netty
Source-Version: 1:4.1.48-13
Done: Bastien Roucariès <[email protected]>
We believe that the bug you reported is fixed in the latest version of
netty, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <[email protected]> (supplier of updated netty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 25 Nov 2025 23:06:00 +0100
Source: netty
Architecture: source
Version: 1:4.1.48-13
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Bastien Roucariès <[email protected]>
Closes: 1113995
Changes:
netty (1:4.1.48-13) unstable; urgency=high
.
* Team upload
* Fix test for junit4 for CVE-2025-58057 improving
backporting. Thanks to Edwin Jiang.
* Fix CVE-2025-58056 (Closes: #1113995)
Netty incorrectly accepts standalone newline
characters (LF) as a chunk-size line terminator,
regardless of a preceding carriage return (CR),
instead of requiring CRLF per HTTP/1.1 standards.
When combined with reverse proxies that parse LF
differently (treating it as part of the
chunk extension), attackers can craft requests
that the proxy sees as one request but Netty
processes as two, enabling request smuggling attacks.
Checksums-Sha1:
56c15f2fbad526e4665af8d1073734ef7741387b 2422 netty_4.1.48-13.dsc
022ad0c0c76dd4ba14b1e44d11cf0b99f0feeb2b 1665244 netty_4.1.48.orig.tar.xz
1909f2c391dab2b7539d234c58a37617c659634d 58672 netty_4.1.48-13.debian.tar.xz
9f35edf0ff06f2113e4212055e132406c4a735af 5405 netty_4.1.48-13_source.buildinfo
Checksums-Sha256:
c791c5c609cb45a1928b2a6500af0fcfe6bd8ea76b12eec11e6aa71c5ef9d12b 2422
netty_4.1.48-13.dsc
e5351d821f461f64af58e89f260ad8943b0ab75f26c1a845300a91f22a711600 1665244
netty_4.1.48.orig.tar.xz
cd8c2e51cae1703be42f411def4f1ead87a9dc4d9e6ff094c33c48268f766121 58672
netty_4.1.48-13.debian.tar.xz
f72999fce37a4b3ff4bbbbe97f1c57365b291d88bf7af294cd0edd1fb5b06f9d 5405
netty_4.1.48-13_source.buildinfo
Files:
b92aa9ea75e315ef8b1f6b981abf3389 2422 java optional netty_4.1.48-13.dsc
ebc25581b3e2b6e1bb47200ba260a636 1665244 java optional netty_4.1.48.orig.tar.xz
ff42c0309d8a199fbd364ea894cb1eea 58672 java optional
netty_4.1.48-13.debian.tar.xz
c7e6b06c3efec83c5acd84a4d0ac48dd 5405 java optional
netty_4.1.48-13_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmkoso8ACgkQADoaLapB
CF98Sg/+N9kXNp79KfFFDC3xFJK56OP0C/AL2XJwNp066y+5tCNG7VdI2EWEu3+R
LBfCjfTyrsUhm4Pbwg3wpKE4nOVMvDJ9lKJbu01kmAjEm70COHavbQU/7jbqit1y
6c/as5RSyzNCoRoSlZtEQiildbzu2hk5/4xR4+LX22407KLbsB0FinkCtiafaj9Z
zQ5VEP0Jy7tNIPW1cNmewnHEyZAaM8a88I0d3AIZJCvpOEHkGVpExTkWzZ+LqJsR
w7E1DGAQe38xLd4v89nW5IpNe8NyErsehLlp65mSlHUwiQyoj01u6mIg9FiBKc8R
/F6QTFKgziaPatFo55WRpUZ8O6vgU/kdeOg+DxSOW3sB6WhHhCHOhp04cWfezkYB
qQK+IfEzf7W04HOiFkTfJABby+jbvOJGvBj30wHvuWDS3rqv4N/K9YJPq3479QUt
5C9UacU5ZeLO6G4wq6jSUycoWxLUSzLh4/9yh3M6gCAQrovMTAtx2UJGq9f6x84V
4xfM5OoHhyom1fstyWYFijyMuKHPjYuLmkLxG/T6lHqCGSEs205/OvMde537hISC
7aecgcR5fndMFrkwsUiOkkI2USaCD5/XSo+xRU9hr/CZqeMVo6va8TmgNKL+VzdV
xd8pRwnvRy2mdwzIRbBHq48ceWz9RyipI9Y4CxxJMOTnFFiL7/M=
=Uj2Z
-----END PGP SIGNATURE-----
pgpGqxomYAGaE.pgp
Description: PGP signature
--- End Message ---
