Your message dated Wed, 19 Nov 2025 11:21:12 +0000
with message-id <[email protected]>
and subject line Bug#1113994: fixed in netty 1:4.1.48-12
has caused the Debian Bug report #1113994,
regarding netty: CVE-2025-58057
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1113994: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113994
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: netty
Version: 1:4.1.48-10
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for netty.
CVE-2025-58057[0]:
| Netty is an asynchronous event-driven network application framework
| for rapid development of maintainable high performance protocol
| servers & clients. In netty-codec-compression versions 4.1.124.Final
| and below, and netty-codec versions 4.2.4.Final and below, when
| supplied with specially crafted input, BrotliDecoder and certain
| other decompression decoders will allocate a large number of
| reachable byte buffers, which can lead to denial of service.
| BrotliDecoder.decompress has no limit in how often it calls pull,
| decompressing data 64K bytes at a time. The buffers are saved in the
| output list, and remain reachable until OOM is hit. This is fixed in
| versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-
| codec-compression.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-58057
https://www.cve.org/CVERecord?id=CVE-2025-58057
[1] https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj
[2]
https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: netty
Source-Version: 1:4.1.48-12
Done: Bastien Roucariès <[email protected]>
We believe that the bug you reported is fixed in the latest version of
netty, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <[email protected]> (supplier of updated netty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 16 Nov 2025 09:30:49 +0100
Source: netty
Architecture: source
Version: 1:4.1.48-12
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Bastien Roucariès <[email protected]>
Closes: 1113994
Changes:
netty (1:4.1.48-12) unstable; urgency=high
.
* Team upload
* Fix CVE-2025-58057:
When supplied with specially crafted input, BrotliDecoder
and certain other decompression decoders will allocate
a large number of reachable byte buffers, which can lead
to denial of service. BrotliDecoder.decompress has no limit
in how often it calls pull, decompressing data 64K bytes at
a time. The buffers are saved in the output list, and remain
reachable until OOM is hit.
(Closes: #1113994)
Checksums-Sha1:
9eaf4559cea779aff3cfec6e9101633f79ba160b 2447 netty_4.1.48-12.dsc
022ad0c0c76dd4ba14b1e44d11cf0b99f0feeb2b 1665244 netty_4.1.48.orig.tar.xz
4b3af54bbf85900b0f7c54fe8bb1c4a8fe1e7baf 54792 netty_4.1.48-12.debian.tar.xz
57842408b5c6e34212b111cf358f251d5bd8f20d 5430 netty_4.1.48-12_source.buildinfo
Checksums-Sha256:
c35b25c745caaac0f407b52d42dd13b9d2cafcf63256315e14dd1589114a534b 2447
netty_4.1.48-12.dsc
e5351d821f461f64af58e89f260ad8943b0ab75f26c1a845300a91f22a711600 1665244
netty_4.1.48.orig.tar.xz
302c7a604b6be30a617dad2ec77ff920d3b7ea3cbdd3524d7f0f22a048aaf52c 54792
netty_4.1.48-12.debian.tar.xz
8ec9ad5c784b1d8039e621f3fd9d278885ae035356321ddd4b99d5e4956ef451 5430
netty_4.1.48-12_source.buildinfo
Files:
a6094f329fb94c14838bf2469a3410d0 2447 java optional netty_4.1.48-12.dsc
ebc25581b3e2b6e1bb47200ba260a636 1665244 java optional netty_4.1.48.orig.tar.xz
887560581ec03192328539a348becb9d 54792 java optional
netty_4.1.48-12.debian.tar.xz
9bc0504ab81737f02d3553a85d70df67 5430 java optional
netty_4.1.48-12_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmkdpsMRHHJvdWNhQGRl
Ymlhbi5vcmcACgkQADoaLapBCF9HQg//b9c+N0Oy1yoEdxcIHifqPmHMNSonK6uY
pQJh0tgwaGs/4L1Y8mU0RTnXnv1Ufk20mvYPBl3JuZahpQxD6iU0wRP/BSpKL/NU
lhPzuKWRbW+TEWqGZ/BxqsIWZ6Pjt1a5emJwAPTg72/8h94+wpKXXl+U7w5aZSEu
4Bq0ymBYrpCYfS/iEWUDlCSw9fbyinMZIB69awkuO2LkLUeyMLBVir66X1f2dRmP
iY8+bA4LSO2FNl0LHUDGEYewGdiGWZrerWycF6aG3AvIj7mOmBtiTLsIM31RghCR
0GXHrNZOAefS5JdWErorMzqUcgsB6AIrC7+dLdbrVs6mjhz8mulIK5j95P4izdlg
woyHvbbASobgq7L0PlOTqwMqiIy8b5T9Lwb8QdOfMWgsRDVWnyX4+zbaCB/5FWj6
4iB0iAmihX1Z1vvWp8L7XDtllsAJypEWZ/tyuEqYtWXc6v/k33idmzk/Q7cZbP/E
LglQtLAsV7ZtrlIk3Qtt4Tv5SnQjii3/BGxNb96cg7JXzeXHloXlBaO0j6kbGiou
FSUExCZv1k9Vzuysk0mJUdqCthYKWir5LAu4aDGTrtYiZS5Zt4FG8+Ch83DVDhiU
z2wQhUh1BW7RotJenLzCi6MH9bOlLEUFNNAlNHxT/5mCXCOWUXoAJbyC/O/wbaBq
t9kZ5WLNZSo=
=0AFl
-----END PGP SIGNATURE-----
pgp1cfMVIRYL7.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
