Your message dated Sun, 08 Feb 2026 04:09:09 +0000
with message-id <[email protected]>
and subject line Bug#1123606: fixed in netty 1:4.1.48-15
has caused the Debian Bug report #1123606,
regarding netty: CVE-2025-67735
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1123606: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123606
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: netty
Version: 1:4.1.48-14
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for netty.
CVE-2025-67735[0]:
| Netty is an asynchronous, event-driven network application
| framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the
| `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF
| injection with the request URI when constructing a request. This
| leads to request smuggling when `HttpRequestEncoder` is used without
| proper sanitization of the URI. Any application / framework using
| `HttpRequestEncoder` can be subject to be abused to perform request
| smuggling using CRLF injection. Versions 4.1.129.Final and
| 4.2.8.Final fix the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-67735
https://www.cve.org/CVERecord?id=CVE-2025-67735
[1] https://github.com/netty/netty/security/advisories/GHSA-84h7-rjj3-6jx4
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: netty
Source-Version: 1:4.1.48-15
Done: Bastien Roucariès <[email protected]>
We believe that the bug you reported is fixed in the latest version of
netty, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <[email protected]> (supplier of updated netty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 12 Jan 2026 00:43:40 +0100
Source: netty
Binary: libnetty-buffer-java libnetty-common-java libnetty-java
Architecture: source all
Version: 1:4.1.48-15
Distribution: experimental
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Bastien Roucariès <[email protected]>
Description:
libnetty-buffer-java - Java NIO client/server socket framework
libnetty-common-java - Java NIO client/server socket framework
libnetty-java - Java NIO client/server socket framework
Closes: 1123606
Changes:
netty (1:4.1.48-15) experimental; urgency=medium
.
* Team upload
* Split package for preparing upgrade
* Fix CVE-2025-67735 (Closes: #1123606)
`io.netty.handler.codec.http.HttpRequestEncoder`
has a CRLF injection with the request URI when constructing
a request. This leads to request smuggling when
`HttpRequestEncoder` is used without proper sanitization
of the URI. Any application / framework using `HttpRequestEncoder`
can be subject to be abused to perform request smuggling using
CRLF injection
Checksums-Sha1:
28f66f8acfa3d112f6c33d95e896cab9b76dcab9 2588 netty_4.1.48-15.dsc
022ad0c0c76dd4ba14b1e44d11cf0b99f0feeb2b 1665244 netty_4.1.48.orig.tar.xz
add38cc5265743d5228e28f16dc9f28563d328e8 61840 netty_4.1.48-15.debian.tar.xz
ea4e35407ccf470a5cdcbbd62c15842d1690bca1 267256
libnetty-buffer-java_4.1.48-15_all.deb
76c9273f0ef13d5c7adc88e16b2db1d2e461f58f 556700
libnetty-common-java_4.1.48-15_all.deb
6a5e6d6470094a83887bcb17eda1fcc2fe989245 2863972
libnetty-java_4.1.48-15_all.deb
abc01c20e2e161bd15876a8f08ef4491fa4e99c3 16886 netty_4.1.48-15_amd64.buildinfo
Checksums-Sha256:
7bae9789360cb6819b7bd4e6dbe8ff9ccc8e3a9338e2a37db07e4ac30e8b5f96 2588
netty_4.1.48-15.dsc
e5351d821f461f64af58e89f260ad8943b0ab75f26c1a845300a91f22a711600 1665244
netty_4.1.48.orig.tar.xz
8fdbdab0b0a846b309fcfdd41fbb7cd12964ef0994e74a344f5659d58e5c0a74 61840
netty_4.1.48-15.debian.tar.xz
e86b89b031c92de56f81d79be28e70be223cd91562d27dc1dba997d7d67c6356 267256
libnetty-buffer-java_4.1.48-15_all.deb
e5e9c0b239db639db0509a8205360363f49817cd78c2c19ab8865831a2f5591c 556700
libnetty-common-java_4.1.48-15_all.deb
43df4ef265cd7087443f0fc6b4a6e95a55df0a32b45071c1f2986c6253d7c6c8 2863972
libnetty-java_4.1.48-15_all.deb
0bdce1a184bc687af7f89fbeea4c1d0838ea600e3365a0e290bdcbba06e865bc 16886
netty_4.1.48-15_amd64.buildinfo
Files:
32583475ac53f089ba0cba7b78f791db 2588 java optional netty_4.1.48-15.dsc
ebc25581b3e2b6e1bb47200ba260a636 1665244 java optional netty_4.1.48.orig.tar.xz
63d0530dd55dcda7de3dd59122047f54 61840 java optional
netty_4.1.48-15.debian.tar.xz
dd87b77a3376d3e13e833fad0011c4ba 267256 java optional
libnetty-buffer-java_4.1.48-15_all.deb
d5137fca5ba1e9deb093a1ac15a3ae02 556700 java optional
libnetty-common-java_4.1.48-15_all.deb
c4dd19572ab5db7ae475c63204e06a43 2863972 java optional
libnetty-java_4.1.48-15_all.deb
c5b81565d6285383a06b48042c422317 16886 java optional
netty_4.1.48-15_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmmHLZkRHHJvdWNhQGRl
Ymlhbi5vcmcACgkQADoaLapBCF+zXRAAjxGNGhNi3Sq/O+LqiEWuc0/3asupxsZU
OjRKJVfv2C73V9phqAgAzGkdlUq8eoEN3biSmJtgZPIz+06It5MPoUHftFkPCJ3w
nSQyZ4DnBJsYMPS6Skfr+k1tEAVhyyN3cecNgy4w9p7raSVc1FYp3o153lVL6SfA
jECzlCgPY1Viw4GKIMxjw01ybp5L7Yt2cKvmLNNOJxs0K6U2HUNeP5LidBk33uj4
+fnBiP5hVEvtYV/FzSbvV3z/MVz/Waoz3MkDWG13WPBxhWAQl+Dp5LMFDPJ0F+9W
LsXf6qUrCkdhvM3wgBa+N5UUXqyzQ3QyM6SDo/BwpPeO8u7d7AKFyqGUT2kqvCIj
ZHKPoOZFQK0fLLzUUEiId/fVwp/XSooqxJaC4YQT7gpqgFdepsXQRDwLoGwAbn7u
jEkwcIFty7lBeAxsAjCzCP4Zn1Bzka0OCCnQiQ4We4oOHunU298eelwYG1hW8d/q
2Ts/kRlQDJVWQ4yunuSV9TLiIP/J+Tx6y8p+Zi/Sl13XjAM0YKEHgvMKVYeXJmul
sArUPEKUxm8IHtI7MckYwIfcm/uZPk6putlXvLurTziw1L2RbGvUJX1Td++iWPT8
TRlm2GDZlQ56b2WPxLUa97kYpjDbf5eFgn2RWKOAFFXDUxzRdKLoqQvuHXxBgeW6
CXmzhONaQ+Y=
=NG/W
-----END PGP SIGNATURE-----
pgpxGW2ukcOL5.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
